CVE-2026-22599

Name of the Vulnerable Software and Affected Versions Strapi versions 4.0.0 through 4.26.0 Strapi versions 5.0.0 through 5.33.1

Description A database-query injection exists in the Content-Type Builder write API. An authenticated administrator can inject arbitrary database statements through the column.defaultTo attribute during the creation or modification of a content type. By setting defaultTo as a tuple [value, { isRaw: true }], the value is passed directly into the db.connection.raw() function of Knex without sanitization, allowing arbitrary statement execution at the database layer. Depending on the database engine used, this can lead to arbitrary file reads via database utility functions, denial of service through forced server crashes during schema migration, or remote code execution against the database server on engines that permit external program execution. The issue affects the '/content-type-builder/content-types' endpoint and related write APIs.

Recommendations Update versions 4.0.0 through 4.26.0 to 4.26.1. Update versions 5.0.0 through 5.33.1 to 5.33.2. Restrict access to the '/content-type-builder/content-types' endpoint and related write APIs to development mode only.