Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Strapi

CVE-2026-27886 Vulnerability Assessment Tool Safely detect wh...

EUVD-2026-30366

Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessibl...

CVE-2026-22706

Strapi (prior to 5.33.3) did not revoke refresh-token sessions on password change/reset when deviceId was not supplied, allowing an attacker with a refresh token to mint new access tokens until expiry. The fix in 5.33.3 invalidates all user refresh tokens on every password change/reset and issues...

PT-2026-40780

Name of the Vulnerable Software and Affected Versions @strapi/upload versions prior to 5.33.3 Description In the Upload plugin, Content API endpoints failed to enforce administrator-configured MIME type restrictions defined in plugin.upload.security.allowedTypes and deniedTypes. While these...

CVE-2024-56143

Strapi 5.0.0–5.5.1 is vulnerable due to improper sanitization of the document service lookup operator for private fields, enabling an attacker to access sensitive data (e.g., admin passwords, reset tokens). The issue is fixed in Strapi 5.5.2. Affected software, root cause, and impact are corrobor...

Strapi Security Vulnerabilities

Strapi is an open source content management system CMS. A security vulnerability exists in Strapi versions prior to 4.19.1 that stems from the fact that when a super administrator creates a collection in which the items in the collection are associated with another collection, another user with t...

Strapi Security Vulnerabilities

Strapi is an open source content management system CMS. A security vulnerability exists in Strapi versions prior to 4.24.2, which stems from a vulnerability that allows an unauthenticated attacker to bypass the authentication mechanism and retrieve a third-party token...

@beardeddudes/strapi-types (>=0.1.0 <=0.1.1), @bilberrry/strapi-plugin-link-finder (>=1.0.1 <=1.0.2) +118 more potentially affected by CVE-2023-22894 via @strapi/strapi (>=4.0.0-beta.0 <=4.7.2-exp.24dd7d95972fa822bf43e9b095b51027402c229e)

@strapi/strapi NPM version =4.0.0-beta.0, =0.1.0, =1.0.1, =4.12.2, =1.0.0, =0.0.1, =1.0.5, =1.0.5, =1.0.9, =0.0.1, =0.1.0, =1.3.2, =1.7.0 - @iliad.dev/atlas-adapter =0.2.11 and more Source cves: CVE-2023-22894 Source advisory: OSV:GHSA-JJQF-J4W7-92W8...

Strapi 注入漏洞

Strapi is an open source content management system CMS. A security vulnerability exists in Strapi versions prior to 4.5.5, which can be exploited by an attacker to inject a crafted payload that executes code on the server into an email template, thereby bypassing validation checks that are suppos...

PT-2022-20719 · Strapi · Strapi

Name of the Vulnerable Software and Affected Versions: Strapi versions 3.x through 3.6.9 Strapi versions 4.x through 4.1.9 Description: The issue concerns the mishandling of hidden attributes within admin API responses. Recommendations: For Strapi versions 3.x through 3.6.9, update to version...

Strapi 安全漏洞

Strapi is an open source content management system CMS. A security vulnerability exists in Strapi versions 3.0 prior to 3.6.9 and 4.0 prior to 4.1.9, which stems from the fact that details from API users may be leaked into JSON responses in the admin panel through a direct or indirect relationshi...