686 matches found
Strapi may leak sensitive data via relational filtering due to lack of query sanitization
Summary of CVE-2026-27886 Vulnerability Details - CVE: CVE-2026-27886 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N 9.3 — Critical - Affected Versions: @strapi/strapi =5.37.0 Description of CVE-2026-27886 Strapi versions prior to 5.37.0 did not sufficiently...
@avorati/strapi-plugin-preview (=1.0.1), @beardeddudes/strapi-types (>=0.1.0 <=0.1.1) +139 more potentially affected by CVE-2026-27886 via @strapi/strapi (>=4.0.2 <=5.36.0)
@strapi/strapi NPM version =4.0.2, =0.1.0, =1.0.1, =4.12.2, =1.0.0, =1.0.0, =1.0.0, =1.3.0, =1.3.4, =1.4.3 and more Source cves: CVE-2026-27886 Source advisory: SNYK:JS-STRAPISTRAPI-16690611...
GHSA-RJG2-95X7-8QMX Strapi may leak sensitive data via relational filtering due to lack of query sanitization
Summary of CVE-2026-27886 Vulnerability Details - CVE: CVE-2026-27886 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N 9.3 — Critical - Affected Versions: @strapi/strapi =5.37.0 Description of CVE-2026-27886 Strapi versions prior to 5.37.0 did not sufficiently...
@avorati/strapi-plugin-preview (=1.0.1), @beardeddudes/strapi-types (>=0.1.0 <=0.1.1) +139 more potentially affected by CVE-2026-27886 via @strapi/strapi (>=4.0.2 <=5.36.0)
@strapi/strapi NPM version =4.0.2, =0.1.0, =1.0.1, =4.12.2, =1.0.0, =1.0.0, =1.0.0, =1.3.0, =1.3.4, =1.4.3 and more Source cves: CVE-2026-27886 Source advisory: OSV:GHSA-RJG2-95X7-8QMX...
Improper Neutralization of Special Elements in Data Query Logic
Overview @strapi/strapi is an updated version of the old 'strapi', which is a free and open-source headless CMS delivering your content anywhere you need. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic in the query parameter...
Strapi Upload Plugin MIME Validation Bypass via Content API
Summary of CVE-2026-22707 Vulnerability Details - CVE: CVE-2026-22707 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N 5.3 — Medium - Affected Versions: @strapi/upload =5.33.3 Description of CVE-2026-22707 In Strapi versions prior to 5.33.3, the Upload plugin's...
@avorati/strapi-plugin-preview (=1.0.1), @catchmexz/fedin-cms (>=5.30.1 <=5.30.2) +9 more potentially affected by CVE-2026-22707 via @strapi/upload (>=5.0.0-beta.10 <=5.33.2)
@strapi/upload NPM version =5.0.0-beta.10, =5.30.1, =2.0.2, =0.0.1, =5.0.0, =3.0.0-beta.1, =3.0.0-beta.2 - stronges =0.1.1 - test-lead =0.1.0 Source cves: CVE-2026-22707 Source advisory: SNYK:JS-STRAPIUPLOAD-16691317...
Arbitrary File Upload
Overview @strapi/upload is a Makes it easy to upload images and files to your Strapi Application. Affected versions of this package are vulnerable to Arbitrary File Upload via the Content API uploadFiles and replaceFile handlers, which bypass administrator-configured MIME type restrictions. An...
GHSA-PCW7-5633-82VV Strapi Upload Plugin MIME Validation Bypass via Content API
Summary of CVE-2026-22707 Vulnerability Details - CVE: CVE-2026-22707 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N 5.3 — Medium - Affected Versions: @strapi/upload =5.33.3 Description of CVE-2026-22707 In Strapi versions prior to 5.33.3, the Upload plugin's...
Strapi 路径遍历漏洞
Strapi is an open-source content management system CMS developed by the Strapi community in France. Versions of Strapi from 4.0.0 to 5.37.0 had a path traversal vulnerability. This vulnerability stemmed from insufficient cleanup of query parameters when filtering content using relationship fields...
Strapi 代码问题漏洞
Strapi is an open-source content management system CMS developed by the Strapi community in France. Versions of Strapi prior to 5.33.3 had code vulnerabilities. These vulnerabilities stemmed from a flaw in the Content API endpoint of the Upload plugin, which did not enforce the MIME type...
Strapi 代码问题漏洞
Strapi is an open-source content management system CMS developed by the Strapi community in France. Versions of Strapi prior to 5.33.3 had code vulnerabilities. These vulnerabilities stemmed from a lack of default functionality to invalidate existing refresh token sessions when a user’s password...
Strapi SQL注入漏洞
Strapi is an open-source content management system CMS developed by the Strapi community in France. Versions of Strapi prior to 4.26.1 and 5.33.2 contained a SQL injection vulnerability. This vulnerability stemmed from the Content-Type Builder API’s database query injection mechanism. This allowe...
PT-2026-40972
Name of the Vulnerable Software and Affected Versions Strapi versions 4.0.0 through 5.36.1 Description Strapi did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessible...
Strapi 安全漏洞
Strapi is an open-source content management system CMS developed by the Strapi community in France. Versions of Strapi prior to 5.45.0 contained security vulnerabilities. These vulnerabilities stemmed from a rate-limiting mechanism in the users-permissions plugin, which derived rate-limiting keys...
Strapi: Password Reset Does Not Revoke Existing Refresh Sessions
Summary of CVE-2026-22706 Vulnerability Details - CVE: CVE-2026-22706 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N 2.1 — Low - Affected Versions: @strapi/admin and @strapi/plugin-users-permissions =5.33.3 Description of CVE-2026-22706 In Strapi versions prio...
Insufficient Session Expiration
Overview @strapi/admin is a Strapi Admin Affected versions of this package are vulnerable to Insufficient Session Expiration in the password reset or change operation. An attacker can maintain unauthorized access by continuing to use a previously obtained refresh token to generate new access...
@piksail/strapi-plugin-publish-coolify (=0.0.1), stronges (=0.1.1) +1 more potentially affected by CVE-2026-22706 via @strapi/plugin-users-permissions (>=5.11.0 <=5.30.0)
@strapi/plugin-users-permissions NPM version =5.11.0, =5.30.0 is affected by a known vulnerability. The following packages have a transitive dependency on @strapi/plugin-users-permissions and may be impacted: - @piksail/strapi-plugin-publish-coolify =0.0.1 - stronges =0.1.1 - test-lead =0.1.0...
@avorati/strapi-plugin-preview (=1.0.1), @catchmexz/fedin-cms (>=5.30.1 <=5.30.2) +11 more potentially affected by CVE-2026-22706 via @strapi/admin (>=5.0.0-alpha.0 <=5.33.2)
@strapi/admin NPM version =5.0.0-alpha.0, =5.30.1, =2.0.2, =0.0.1, =5.0.0, =5.0.0, =5.0.0, =3.0.0, =3.0.4 - stronges =0.1.1 - test-lead =0.1.0 Source cves: CVE-2026-22706 Source advisory: SNYK:JS-STRAPIADMIN-16682288...
GHSA-HVP3-26WX-G2W4 Strapi: Password Reset Does Not Revoke Existing Refresh Sessions
Summary of CVE-2026-22706 Vulnerability Details - CVE: CVE-2026-22706 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N 2.1 — Low - Affected Versions: @strapi/admin and @strapi/plugin-users-permissions =5.33.3 Description of CVE-2026-22706 In Strapi versions prio...