CVE-2026-46421

描述

## Impact On April 29, 2026, compromised versions of `@cap-js/[email protected]`, `@cap-js/[email protected]`, and `@cap-js/[email protected]` were published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised. ## Patches Upgrade to `@cap-js/sqlite` >= 2.4.0, `@cap-js/postgres` >= 2.3.0, `@cap-js/db-service` >= 2.11.0. If a compromised version was ever installed, rotate all affected credentials. ## Workarounds No workarounds.

如何修補 CVE-2026-46421

要修補 CVE-2026-46421,請將受影響套件升級到下列已修補版本。

• —升級至 2.11.0 或更新版本
• —升級至 2.3.0 或更新版本
• —升級至 2.3.0 或更新版本

CVE-2026-46421 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-46421 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(3)

• >= 2.10.1, < 2.11.0
• >= 2.2.2, < 2.3.0
• >= 2.2.2, < 2.3.0

參考連結(5)

• PATCHgithub.com/cap-js/cds-dbs
• WEBgithub.com/cap-js/cds-dbs/security/advisories/GHSA-pvw4-cvr4-97p8
• WEBme.sap.com/notes/3747787
• WEBwww.sap.com/documents/2026/05/8203a8b9-4d7f-0010-bca6-c68f7e60039b.html
• WEB