CVE-2026-22599: Strapi Vulnerable to SQL Injection in Content Type Builder

May 13, 2026

CVE: CVE-2026-22599
CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N (9.3 — Critical)
Affected Versions: @strapi/content-type-builder <=5.33.1 (v5), @strapi/plugin-content-type-builder <=4.26.0 (v4)
How to Patch: Immediately update your Strapi to >=5.33.2 (v5) or >=4.26.1 (v4)

References

github.com/advisories/GHSA-3xcq-8mjw-h6mx
github.com/strapi/strapi/releases/tag/v4.26.1
github.com/strapi/strapi/releases/tag/v5.33.2
github.com/strapi/strapi/security/advisories/GHSA-3xcq-8mjw-h6mx
nvd.nist.gov/vuln/detail/CVE-2026-22599

Code Behaviors & Features

Detect and mitigate CVE-2026-22599 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →