CVE-2026-22707 Strapi Upload Plugin MIME Validation Bypass via Content API

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the administrator-configured MIME type restrictions plugin.upload.security.allowedTypes and deniedTypes. The same restrictions were correctly...

Strapi Upload Plugin MIME Validation Bypass via Content API

Summary of CVE-2026-22707 Vulnerability Details - CVE: CVE-2026-22707 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N 5.3 — Medium - Affected Versions: @strapi/upload =5.33.3 Description of CVE-2026-22707 In Strapi versions prior to 5.33.3, the Upload plugin's...

GHSA-PCW7-5633-82VV Strapi Upload Plugin MIME Validation Bypass via Content API

Summary of CVE-2026-22707 Vulnerability Details - CVE: CVE-2026-22707 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N 5.3 — Medium - Affected Versions: @strapi/upload =5.33.3 Description of CVE-2026-22707 In Strapi versions prior to 5.33.3, the Upload plugin's...

@avorati/strapi-plugin-preview (=1.0.1), @catchmexz/fedin-cms (>=5.30.1 <=5.30.2) +9 more potentially affected by CVE-2026-22707 via @strapi/upload (>=5.0.0-beta.10 <=5.33.2)

@strapi/upload NPM version =5.0.0-beta.10, =5.30.1, =2.0.2, =0.0.1, =5.0.0, =3.0.0-beta.1, =3.0.0-beta.2 - stronges =0.1.1 - test-lead =0.1.0 Source cves: CVE-2026-22707 Source advisory: SNYK:JS-STRAPIUPLOAD-16691317...