@avorati/strapi-plugin-preview (=1.0.1), @catchmexz/fedin-cms (>=5.30.1 <=5.30.2) +11 more potentially affected by CVE-2026-22706 via @strapi/admin (>=5.0.0-alpha.0 <=5.33.2)

@strapi/admin NPM version =5.0.0-alpha.0, =5.30.1, =2.0.2, =0.0.1, =5.0.0, =5.0.0, =5.0.0, =3.0.0, =3.0.4 - stronges =0.1.1 - test-lead =0.1.0 Source cves: CVE-2026-22706 Source advisory: SNYK:JS-STRAPIADMIN-16682288...

Insufficient Session Expiration

Overview @strapi/admin is a Strapi Admin Affected versions of this package are vulnerable to Insufficient Session Expiration in the password reset or change operation. An attacker can maintain unauthorized access by continuing to use a previously obtained refresh token to generate new access...

@abip/scp-common (=1.0.1-alpha.0), @akemona-org/strapi-admin (>=3.7.0 <=3.18.2) +401 more potentially affected by CVE-2026-1774 via @casl/ability (>=2.4.2 <=6.7.3)

@casl/ability NPM version =2.4.2, =3.7.0, =0.2.0, =0.3.1, =4.25.19-patch.1, =0.0.1, =0.0.1, =0.1.0, =1.7.0, =0.7.1, =0.13.85 and more Source cves: CVE-2026-1774 Source advisory: SNYK:JS-CASLABILITY-15268419...

@jhoward1994/strapi-plugin-ckeditor (>=0.0.1 <=0.0.1-rc5), @strapi/admin (=0.0.0-experimental.6dbac0c205b0f8495781db5706c18cac1a62e62b) +3 more potentially affected by CVE-2025-25298 via @strapi/core (>=0.0.0-experimental.a13c58eec89ab119f0e381fb79c0252979e9c125 <=5.10.2)

@strapi/core NPM version =0.0.0-experimental.a13c58eec89ab119f0e381fb79c0252979e9c125, =0.0.1, =0.0.0-experimental.0af49f5c5ec496b0fad61ac9bfd4d0127b89d8d3, =5.10.2 - custom-strapi-plugin-socket =1.0.2 Source cves: CVE-2025-25298 Source advisory: OSV:GHSA-2CJV-6WG9-F4F3...

@beardeddudes/strapi-types (=0.1.0), @bimbeo160/admin (=4.12.2) +67 more potentially affected by CVE-2025-25298 via @strapi/admin (>=4.0.0-beta.0 <=4.25.21)

@strapi/admin NPM version =4.0.0-beta.0, =4.12.2, =1.0.9, =1.3.2, =0.2.0, =1.0.0-alpha.0, =1.1.0, =4.12.4-lakileki.1, =4.12.4-rc4 - @musaev/strapi =4.12.4-rc2 and more Source cves: CVE-2025-25298 Source advisory: SNYK:JS-STRAPIADMIN-13601311...

Weak Encoding for Password

Overview @strapi/admin is a Strapi Admin Affected versions of this package are vulnerable to Weak Encoding for Password in to the implementation of password hashing. An attacker can reduce the effective entropy of user passwords and potentially mislead users about the required password length by...

Insufficient Session Expiration

Overview @strapi/admin is a Strapi Admin Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to invalidate JWT after logout or account deactivation. An attacker can maintain unauthorized access by reusing a stolen or intercepted token until it...

@avorati/strapi-plugin-preview (=1.0.1), @futurebrand/helpers-strapi (>=2.0.2 <=2.5.4) +8 more potentially affected by CVE-2025-3930 via @strapi/admin (>=5.0.0-alpha.0 <=5.23.6)

@strapi/admin NPM version =5.0.0-alpha.0, =2.0.2, =0.0.1, =5.0.0, =5.0.0, =5.0.0, =5.23.6 - custom-strapi-plugin-socket =1.0.2 - stronges =0.1.1 - test-lead =0.1.0 Source cves: CVE-2025-3930 Source advisory: SNYK:JS-STRAPIADMIN-13601310...

EUVD-2022-3703

Malicious code in bioql PyPI...

Server Side Request Forgery (SSRF)

@strapi/admin is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient validation of webhook URLs, allowing requests to internal domains such as localhost and 127.0.0.1...

@beardeddudes/strapi-types (=0.1.0), @bimbeo160/admin (=4.12.2) +67 more potentially affected by CVE-2024-52588 via @strapi/admin (>=0.0.0-a230f29587d4a221c9c686ca4e467b3fb465631a <=4.25.19)

@strapi/admin NPM version =0.0.0-a230f29587d4a221c9c686ca4e467b3fb465631a, =4.12.2, =1.0.9, =1.3.2, =0.2.0, =1.0.0-alpha.0, =1.1.0, =4.12.4-lakileki.1, =4.12.4-rc4 - @musaev/strapi =4.12.4-rc2 - @musaev/strapiadmin =4.12.4 and more Source cves: CVE-2024-52588 Source advisory: OSV:GHSA-V8WJ-F5C7-P...

CVE-2022-30617

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship e.g., created by, updated by with content accessible to the authenticated user. For example, a...

CVE-2022-30618

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users from:users-permissions. There are many scenarios in whic...

@beardeddudes/strapi-types (=0.1.0), @mattie-bundle/mattie-strapi-bundle-example (>=1.0.0-alpha.0 <=1.0.0-alpha.3) +20 more potentially affected by CVE-2023-38507 via @strapi/admin (>=0.0.0-a230f29587d4a221c9c686ca4e467b3fb465631a <=4.12.0)

@strapi/admin NPM version =0.0.0-a230f29587d4a221c9c686ca4e467b3fb465631a, =1.0.0-alpha.0, =0.0.0-experimental.0af49f5c5ec496b0fad61ac9bfd4d0127b89d8d3, =0.0.0-00c0da0e5db43d5de823f6193c9a3fa0dd11a364, =0.0.0-02d487e4eec68a5961817a4f580ffead9a9362f0,...

@beardeddudes/strapi-types (=0.1.0), @mattie-bundle/mattie-strapi-bundle-example (>=1.0.0-alpha.0 <=1.0.0-alpha.3) +17 more potentially affected by CVE-2023-36472 via @strapi/admin (>=0.0.0-a230f29587d4a221c9c686ca4e467b3fb465631a <=4.11.6)

@strapi/admin NPM version =0.0.0-a230f29587d4a221c9c686ca4e467b3fb465631a, =1.0.0-alpha.0, =0.0.0-experimental.0af49f5c5ec496b0fad61ac9bfd4d0127b89d8d3, =0.0.0-00c0da0e5db43d5de823f6193c9a3fa0dd11a364, =0.0.0-02d487e4eec68a5961817a4f580ffead9a9362f0,...

GHSA-F6FM-R26Q-P747 Improper Removal of Sensitive Information Before Storage or Transfer in Strapi

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship e.g., created by, updated by with content accessible to the authenticated user. For example, a...

GHSA-VGJ7-895J-GPR6 Improper Removal of Sensitive Information Before Storage or Transfer in Strapi

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users from:users-permissions. There are many scenarios in whic...

CVE-2022-30618

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users from:users-permissions. There are many scenarios in whic...

Design/Logic Flaw

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users from:users-permissions. There are many scenarios in whic...

CVE-2022-30618

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users from:users-permissions. There are many scenarios in whic...