CVE-2026-46421

Enriched by CISA
 

The SAP Cloud Application Programming Model is a tool for building enterprise-grade cloud applications, and cap-js/cds-dbs is the monorepo for SQL database services for that tool. On April 29, 2026, compromised versions of `@cap-js/sqlite@2.2.2`, `@cap-js/postgres@2.2.2`, and `@cap-js/db-service@2.10.1` were published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised. User should upgrade to `@cap-js/sqlite` >= 2.4.0, `@cap-js/postgres` >= 2.3.0, `@cap-js/db-service` >= 2.11.0. If a compromised version was ever installed, rotate all affected credentials. No known workarounds are available.
https://nvd.nist.gov/vuln/detail/CVE-2026-46421

Categories

CWE-506 : Embedded Malicious Code
Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of a product or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.

References


 

AFFECTED (from MITRE)


Vendor Product Versions
cap-js @cap-js/sqlite
  • = 2.2.2 [affected]
cap-js @cap-js/postgres
  • = 2.2.2 [affected]
@cap-js/db-service @cap-js/db-service
  • = 2.10.1 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end


REMEDIATION




EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
442 Infected Software
High
448 Embed Virus into DLL
High
636 Hiding Malicious Data or Code within Files
High


MITRE


Techniques

id description
T1001.002 Data Obfuscation: Steganography
T1027.003 Obfuscated Files or Information: Steganography
T1027.004 Obfuscated Files or Information: Compile After Delivery
T1027.009 Obfuscated Files or Information: Embedded Payloads
T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Tools
T1195.002 Supply Chain Compromise: Compromise Software Supply Chain
T1218.001 Signed Binary Proxy Execution: Compiled HTML File
T1221 Template Injection
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id description
M1031 Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.
M1040 On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts.
M1016 Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.
M1016 Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.
M1021 Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files
M1017 Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.