Strapi versions on the 4.x branch before 4.26.1 and on the 5.x branch before 5.33.2 contain a database‑query injection flaw in the Content‑Type Builder write API. An authenticated administrator can supply an arbitrary value for the `column.defaultTo` attribute, specifying a tuple that instructs Knex to send the supplied SQL directly to the database with no sanitization. This permits the attacker to execute arbitrary SQL statements at the database layer. Depending on the database engine, consequences include reading arbitrary files, causing a denial‑of‑service crash during schema migration, or executing external programs, which effectively is remote code execution against the database server.

The vulnerable products are Strapi open‑source CMS, specifically the strapi/content‑type‑builder and strapi:strapi modules. 4.x releases before 4.26.1 and 5.x releases before 5.33.2 are impacted; later releases (4.26.1, 5.33.2 and beyond) contain a mitigated implementation that restricts write APIs to development mode only and returns 404 for privileged endpoints in production, eliminating the attack surface.

The CVSS score of 9.3 indicates a critical severity. The EPSS score is not available, but the lack of mitigation in many deployments and the possibility to exploit remote database access elevate the risk. The flaw is listed in no KEV catalog yet, but the high CVSS and real‑world impact potential make it a top priority. Since the attack requires administrator credentials and relies on direct API calls to the Content‑Type Builder, it is likely to be executed by insiders or compromised admin accounts, but it can also be leveraged by an attacker who gains those credentials. The removal of the network‑reachable API surface in recent releases reduces likelihood unless production environments still expose the endpoints.