EXECUTIVE SUMMARY:
CVE-2026-22599 with a CVSS score of 9.3 is a database-query injection vulnerability in the Strapi Content-Type Builder write API, affecting @strapi/content-type-builder <=5.33.1 (v5) and @strapi/plugin-content-type-builder <=4.26.0 (v4) versions. An authenticated administrator can inject arbitrary database statements through the column.defaultTo attribute when creating or modifying a content type, allowing them to execute arbitrary statements at the database layer, resulting in arbitrary file read, denial of service, and remote code execution. This enables an attacker to gain elevated privileges on the database server, depending on the database engine. Exploitation of this vulnerability can lead to severe business impact and consequences, including data breaches, server crashes, and unauthorized access to sensitive information. Prerequisites for exploitation include authentication as an administrator and access to the Content-Type Builder API, allowing an attacker to craft malicious input and execute database queries.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-22599 with a CVSS score of 9.3 is a database-query injection vulnerability in the Strapi Content-Type Builder write API, affecting @strapi/content-type-builder <=5.33.1 (v5) and @strapi/plugin-content-type-builder <=4.26.0 (v4) versions. An authenticated administrator can inject arbitrary database statements through the column.defaultTo attribute when creating or modifying a content type, allowing them to execute arbitrary statements at the database layer, resulting in arbitrary file read, denial of service, and remote code execution. This enables an attacker to gain elevated privileges on the database server, depending on the database engine. Exploitation of this vulnerability can lead to severe business impact and consequences, including data breaches, server crashes, and unauthorized access to sensitive information. Prerequisites for exploitation include authentication as an administrator and access to the Content-Type Builder API, allowing an attacker to craft malicious input and execute database queries.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-3xcq-8mjw-h6mx