PT-2026-57553 · Cap Go · Cap-Go

Offset

·

Published

2026-07-12

·

Updated

2026-07-12

·

CVE-2026-56281

CVSS v3.1

3.8

Low

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2
Description An issue exists in the 'POST /private/admin stats' endpoint where the limit parameter is extracted from an unvalidated request body and inserted directly into Cloudflare Analytics Engine SQL queries using template literals. An attacker with platform admin credentials can use this to inject SQL fragments, allowing them to enumerate dataset schemas, extract analytics data, or cause a denial-of-service against the analytics backend.
Recommendations Update to version 12.128.2 or later. Avoid using the limit parameter in the 'POST /private/admin stats' endpoint until the update is applied.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56281

Affected Products

Cap-Go