CVE-2026-46421
Description
The SAP Cloud Application Programming Model is a tool for building enterprise-grade cloud applications, and cap-js/cds-dbs is the monorepo for SQL database services for that tool. On April 29, 2026, compromised versions of `@cap-js/[email protected]`, `@cap-js/[email protected]`, and `@cap-js/[email protected]` were published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised. User should upgrade to `@cap-js/sqlite` >= 2.4.0, `@cap-js/postgres` >= 2.3.0, `@cap-js/db-service` >= 2.11.0. If a compromised version was ever installed, rotate all affected credentials. No known workarounds are available.
Is your site exposed to CVE-2026-46421?
Run a free security scan — no signup, results in seconds.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-46421? +
How do I check if I'm vulnerable to CVE-2026-46421? +
Related Vulnerabilities
Prebid Universal Creative (PUC) is a JavaScript API to render multiple formats. Npm users of PUC 1.17.3 or PUC latest …
Prebid.js is a free and open source library for publishers to quickly implement header bidding. NPM users of prebid 10.9.2 …
PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introduced functionality …
xrpl.js is a JavaScript/TypeScript API for interacting with the XRP Ledger in Node.js and the browser. Versions 4.2.1, 4.2.2, 4.2.3, …
DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm …
backlash parses collected strings with escapes. On 8 September 2025, the npm publishing account for backslash was taken over after …