Lucene search
K

686 matches found

Github Security Blog
Github Security Blog
added 2026/05/14 1:17 p.m.15 views

Strapi may leak sensitive data via relational filtering due to lack of query sanitization

Summary of CVE-2026-27886 Vulnerability Details - CVE: CVE-2026-27886 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N 9.3 — Critical - Affected Versions: @strapi/strapi =5.37.0 Description of CVE-2026-27886 Strapi versions prior to 5.37.0 did not sufficiently...

9.2CVSS5.8AI score0.00612EPSS
Exploits5References3Affected Software1
vulnersOsv
vulnersOsv
added 2026/05/14 1:17 p.m.9 views

@avorati/strapi-plugin-preview (=1.0.1), @beardeddudes/strapi-types (>=0.1.0 <=0.1.1) +139 more potentially affected by CVE-2026-27886 via @strapi/strapi (>=4.0.2 <=5.36.0)

@strapi/strapi NPM version =4.0.2, =0.1.0, =1.0.1, =4.12.2, =1.0.0, =1.0.0, =1.0.0, =1.3.0, =1.3.4, =1.4.3 and more Source cves: CVE-2026-27886 Source advisory: SNYK:JS-STRAPISTRAPI-16690611...

9.2CVSS5.8AI score0.00612EPSS
Exploits5
OSV
OSV
added 2026/05/14 1:17 p.m.16 views

GHSA-RJG2-95X7-8QMX Strapi may leak sensitive data via relational filtering due to lack of query sanitization

Summary of CVE-2026-27886 Vulnerability Details - CVE: CVE-2026-27886 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N 9.3 — Critical - Affected Versions: @strapi/strapi =5.37.0 Description of CVE-2026-27886 Strapi versions prior to 5.37.0 did not sufficiently...

9.2CVSS5.8AI score0.00612EPSS
Exploits5References3
vulnersOsv
vulnersOsv
added 2026/05/14 1:17 p.m.9 views

@avorati/strapi-plugin-preview (=1.0.1), @beardeddudes/strapi-types (>=0.1.0 <=0.1.1) +139 more potentially affected by CVE-2026-27886 via @strapi/strapi (>=4.0.2 <=5.36.0)

@strapi/strapi NPM version =4.0.2, =0.1.0, =1.0.1, =4.12.2, =1.0.0, =1.0.0, =1.0.0, =1.3.0, =1.3.4, =1.4.3 and more Source cves: CVE-2026-27886 Source advisory: OSV:GHSA-RJG2-95X7-8QMX...

9.2CVSS5.8AI score0.00612EPSS
Exploits5
Snyk
Snyk
added 2026/05/14 1:17 p.m.16 views

Improper Neutralization of Special Elements in Data Query Logic

Overview @strapi/strapi is an updated version of the old 'strapi', which is a free and open-source headless CMS delivering your content anywhere you need. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic in the query parameter...

9.2CVSS5.8AI score0.00612EPSS
Exploits5References3
Github Security Blog
Github Security Blog
added 2026/05/14 1:12 p.m.13 views

Strapi Upload Plugin MIME Validation Bypass via Content API

Summary of CVE-2026-22707 Vulnerability Details - CVE: CVE-2026-22707 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N 5.3 — Medium - Affected Versions: @strapi/upload =5.33.3 Description of CVE-2026-22707 In Strapi versions prior to 5.33.3, the Upload plugin's...

5.4CVSS5.8AI score0.00195EPSS
Exploits0References3Affected Software1
vulnersOsv
vulnersOsv
added 2026/05/14 1:12 p.m.10 views

@avorati/strapi-plugin-preview (=1.0.1), @catchmexz/fedin-cms (>=5.30.1 <=5.30.2) +9 more potentially affected by CVE-2026-22707 via @strapi/upload (>=5.0.0-beta.10 <=5.33.2)

@strapi/upload NPM version =5.0.0-beta.10, =5.30.1, =2.0.2, =0.0.1, =5.0.0, =3.0.0-beta.1, =3.0.0-beta.2 - stronges =0.1.1 - test-lead =0.1.0 Source cves: CVE-2026-22707 Source advisory: SNYK:JS-STRAPIUPLOAD-16691317...

5.4CVSS5.8AI score0.00195EPSS
Exploits0
Snyk
Snyk
added 2026/05/14 1:12 p.m.9 views

Arbitrary File Upload

Overview @strapi/upload is a Makes it easy to upload images and files to your Strapi Application. Affected versions of this package are vulnerable to Arbitrary File Upload via the Content API uploadFiles and replaceFile handlers, which bypass administrator-configured MIME type restrictions. An...

5.4CVSS5.9AI score0.00195EPSS
Exploits0References2
OSV
OSV
added 2026/05/14 1:12 p.m.4 views

GHSA-PCW7-5633-82VV Strapi Upload Plugin MIME Validation Bypass via Content API

Summary of CVE-2026-22707 Vulnerability Details - CVE: CVE-2026-22707 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N 5.3 — Medium - Affected Versions: @strapi/upload =5.33.3 Description of CVE-2026-22707 In Strapi versions prior to 5.33.3, the Upload plugin's...

5.3CVSS5.8AI score0.00195EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.14 views

Strapi 路径遍历漏洞

Strapi is an open-source content management system CMS developed by the Strapi community in France. Versions of Strapi from 4.0.0 to 5.37.0 had a path traversal vulnerability. This vulnerability stemmed from insufficient cleanup of query parameters when filtering content using relationship fields...

9.2CVSS5.8AI score0.00612EPSS
Exploits5References1
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.13 views

Strapi 代码问题漏洞

Strapi is an open-source content management system CMS developed by the Strapi community in France. Versions of Strapi prior to 5.33.3 had code vulnerabilities. These vulnerabilities stemmed from a flaw in the Content API endpoint of the Upload plugin, which did not enforce the MIME type...

5.4CVSS5.9AI score0.00195EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.16 views

Strapi 代码问题漏洞

Strapi is an open-source content management system CMS developed by the Strapi community in France. Versions of Strapi prior to 5.33.3 had code vulnerabilities. These vulnerabilities stemmed from a lack of default functionality to invalidate existing refresh token sessions when a user’s password...

6.5CVSS5.9AI score0.00272EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.10 views

Strapi SQL注入漏洞

Strapi is an open-source content management system CMS developed by the Strapi community in France. Versions of Strapi prior to 4.26.1 and 5.33.2 contained a SQL injection vulnerability. This vulnerability stemmed from the Content-Type Builder API’s database query injection mechanism. This allowe...

9.3CVSS6.6AI score0.01178EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.29 views

PT-2026-40972

Name of the Vulnerable Software and Affected Versions Strapi versions 4.0.0 through 5.36.1 Description Strapi did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessible...

9.2CVSS5.8AI score0.00612EPSS
Exploits5References11
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.38 views

Strapi 安全漏洞

Strapi is an open-source content management system CMS developed by the Strapi community in France. Versions of Strapi prior to 5.45.0 contained security vulnerabilities. These vulnerabilities stemmed from a rate-limiting mechanism in the users-permissions plugin, which derived rate-limiting keys...

6.9CVSS6AI score0.00492EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/13 8:2 p.m.10 views

Strapi: Password Reset Does Not Revoke Existing Refresh Sessions

Summary of CVE-2026-22706 Vulnerability Details - CVE: CVE-2026-22706 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N 2.1 — Low - Affected Versions: @strapi/admin and @strapi/plugin-users-permissions =5.33.3 Description of CVE-2026-22706 In Strapi versions prio...

6.5CVSS5.8AI score0.00272EPSS
Exploits0References3Affected Software2
Snyk
Snyk
added 2026/05/13 8:2 p.m.11 views

Insufficient Session Expiration

Overview @strapi/admin is a Strapi Admin Affected versions of this package are vulnerable to Insufficient Session Expiration in the password reset or change operation. An attacker can maintain unauthorized access by continuing to use a previously obtained refresh token to generate new access...

6.9CVSS5.8AI score0.00272EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/05/13 8:2 p.m.11 views

@piksail/strapi-plugin-publish-coolify (=0.0.1), stronges (=0.1.1) +1 more potentially affected by CVE-2026-22706 via @strapi/plugin-users-permissions (>=5.11.0 <=5.30.0)

@strapi/plugin-users-permissions NPM version =5.11.0, =5.30.0 is affected by a known vulnerability. The following packages have a transitive dependency on @strapi/plugin-users-permissions and may be impacted: - @piksail/strapi-plugin-publish-coolify =0.0.1 - stronges =0.1.1 - test-lead =0.1.0...

6.5CVSS5.8AI score0.00272EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/05/13 8:2 p.m.7 views

@avorati/strapi-plugin-preview (=1.0.1), @catchmexz/fedin-cms (>=5.30.1 <=5.30.2) +11 more potentially affected by CVE-2026-22706 via @strapi/admin (>=5.0.0-alpha.0 <=5.33.2)

@strapi/admin NPM version =5.0.0-alpha.0, =5.30.1, =2.0.2, =0.0.1, =5.0.0, =5.0.0, =5.0.0, =3.0.0, =3.0.4 - stronges =0.1.1 - test-lead =0.1.0 Source cves: CVE-2026-22706 Source advisory: SNYK:JS-STRAPIADMIN-16682288...

6.5CVSS5.8AI score0.00272EPSS
Exploits0
OSV
OSV
added 2026/05/13 8:2 p.m.6 views

GHSA-HVP3-26WX-G2W4 Strapi: Password Reset Does Not Revoke Existing Refresh Sessions

Summary of CVE-2026-22706 Vulnerability Details - CVE: CVE-2026-22706 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N 2.1 — Low - Affected Versions: @strapi/admin and @strapi/plugin-users-permissions =5.33.3 Description of CVE-2026-22706 In Strapi versions prio...

2.1CVSS5.8AI score0.00272EPSS
Exploits0References3
Rows per page
Query Builder