CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

32 matches found

Vulnrichment•added 2026/05/14 6:32 p.m.•6 views

CVE-2025-64526 Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from ctx.request.body.email, including on routes whose body schema does not contain an email field...

6.9CVSS6AI score0.0001EPSS

Exploits0References4

Cvelist•added 2026/05/14 6:32 p.m.•27 views

CVE-2025-64526 Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

6.9CVSS0.0001EPSS

Exploits0References4

CVE•added 2026/05/14 6:32 p.m.•13 views

CVE-2025-64526

CVE-2025-64526 (Strapi) affects the @strapi/plugin-users-permissions rate-limiting key construction. In Strapi versions prior to 5.45.0, the rate-limit middleware used the request body’s email field as part of the rate-limit key (userIdentifier = ctx.request.body.email), even on routes where the ...

6.9CVSS6AI score0.0001EPSS

Exploits0References4Affected Software1

CNNVD•added 2026/05/14 12:0 a.m.•7 views

Strapi 安全漏洞

Strapi is an open-source content management system CMS developed by the Strapi community in France. Versions of Strapi prior to 5.45.0 contained security vulnerabilities. These vulnerabilities stemmed from a rate-limiting mechanism in the users-permissions plugin, which derived rate-limiting keys...

6.9CVSS6AI score0.0001EPSS

Exploits0References2

vulnersOsv•added 2026/05/13 8:2 p.m.•7 views

@piksail/strapi-plugin-publish-coolify (=0.0.1), stronges (=0.1.1) +1 more potentially affected by CVE-2026-22706 via @strapi/plugin-users-permissions (>=5.11.0 <=5.30.0)

@strapi/plugin-users-permissions NPM version =5.11.0, =5.30.0 is affected by a known vulnerability. The following packages have a transitive dependency on @strapi/plugin-users-permissions and may be impacted: - @piksail/strapi-plugin-publish-coolify =0.0.1 - stronges =0.1.1 - test-lead =0.1.0...

6.5CVSS5.8AI score0.00059EPSS

Exploits0

Github Security Blog•added 2026/05/13 8:2 p.m.•7 views

Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

Summary of CVE-2025-64526 Vulnerability Details - CVE: CVE-2025-64526 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N 6.9 — Medium - Affected Versions: @strapi/plugin-users-permissions =5.45.0 Description of CVE-2025-64526 In Strapi versions prior to 5.45.0, th...

6.9CVSS6AI score0.0001EPSS

Exploits0References6Affected Software1

OSV•added 2026/05/13 8:2 p.m.•4 views

GHSA-7MQX-WWH4-F9FW Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

6.9CVSS6AI score0.0001EPSS

Exploits0References6

vulnersOsv•added 2026/05/13 8:2 p.m.•5 views

@piksail/strapi-plugin-publish-coolify (=0.0.1), cypherscan-strapi (=0.1.1) +4 more potentially affected by CVE-2025-64526 via @strapi/plugin-users-permissions (>=5.11.0 <=5.42.1)

@strapi/plugin-users-permissions NPM version =5.11.0, =0.1.0, =0.1.4 - stronges =0.1.1 - test-lead =0.1.0 Source cves: CVE-2025-64526 Source advisory: SNYK:JS-STRAPIPLUGINUSERSPERMISSIONS-16683088...

6.9CVSS5.8AI score0.0001EPSS

Exploits0

Positive Technologies•added 2026/05/13 12:0 a.m.•6 views

PT-2026-40833

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 5.45.0 Description The rate-limit middleware in the users-permissions plugin incorrectly derives its rate-limit key using ctx.request.body.email, even on routes where the body schema does not require an email field, su...

6.9CVSS6AI score0.0001EPSS

Exploits0References8

Positive Technologies•added 2025/10/27 12:0 a.m.•3 views

PT-2025-43988

Name of the Vulnerable Software and Affected Versions BAE SOCET GXP versions prior to 4.6.0.2 Description The SOCET GXP Job Service lacks authentication. This may permit remote users to submit jobs, or local users to submit jobs that execute with the permissions of other users. Recommendations...

8.8CVSS6.6AI score0.00163EPSS

Exploits0References4

EUVD•added 2025/10/07 12:30 a.m.•3 views

EUVD-2009-0804

Malware in sbrugna...

6.5CVSS9.4AI score0.00335EPSS

Exploits0References4

EUVD•added 2025/10/07 12:30 a.m.•3 views

EUVD-2012-4181

Malware in sbrugna...

6.8CVSS6.3AI score0.00463EPSS

Exploits2References11

EUVD•added 2025/10/07 12:30 a.m.•3 views

EUVD-2016-1311

Malware in sbrugna...

7.8CVSS7.6AI score0.00032EPSS

Exploits0References4

EUVD•added 2025/10/07 12:30 a.m.•3 views

EUVD-2016-0030

Malware in sbrugna...

5.3CVSS5.6AI score0.00566EPSS

Exploits0References16

EUVD•added 2025/10/07 12:30 a.m.•5 views

EUVD-2000-0867

Malware in sbrugna...

3.6CVSS6.4AI score0.00342EPSS

Exploits1References4

RedhatCVE•added 2025/05/21 6:22 p.m.•7 views

CVE-1999-0129

Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file...

4.6CVSS6.4AI score0.00122EPSS

Exploits0References1

OSV•added 2025/04/01 2:19 p.m.•6 views

GHSA-8P83-CPFG-FJ3G Rancher: Restricted Administrator can change Administrator's passwords

Impact A vulnerability has been identified within Rancher where a Restricted Administrator can change the password of Administrators and take over their accounts. A Restricted Administrator should be not allowed to change the password of more privileged users unless it contains the Manage Users...

9.1CVSS9.1AI score0.00235EPSS

Exploits0References4

OSV•added 2024/06/12 7:39 p.m.•21 views

GHSA-WRVH-RCMR-9QFC @strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass

Summary By combining two vulnerabilities an Open Redirect and session token sent as URL query parameter in Strapi framework is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction one click. Impact...

7.1CVSS8AI score0.00796EPSS

Exploits1References4

vulnersOsv•added 2024/06/12 7:39 p.m.•4 views

@chargeover/strapi (=0.0.1-rc1.1), @cowprotocol/cms (=0.1.0-rc.5) +14 more potentially affected by CVE-2024-34065 via @strapi/plugin-users-permissions (>=4.0.0-beta.0 <=4.1.9)

@strapi/plugin-users-permissions NPM version =4.0.0-beta.0, =1.0.0-alpha.0, =0.0.1, =0.1.0, =0.1.10 - strapi-voting =0.2.1 - strapigo =0.1.0 - sveltekit-strapi =0.1.0 and more Source cves: CVE-2024-34065 Source advisory: OSV:GHSA-WRVH-RCMR-9QFC...

8.1CVSS7.2AI score0.00796EPSS

Exploits1

Positive Technologies•added 2024/06/12 12:0 a.m.•3 views

PT-2024-25676 · Strapi · @Strapi/Plugin-Users-Permissions

Name of the Vulnerable Software and Affected Versions: @strapi/plugin-users-permissions versions prior to 4.24.2 Description: The issue arises from combining two vulnerabilities in @strapi/plugin-users-permissions: an Open Redirect and a session token sent as a URL query parameter. This allows an...

8.1CVSS7.3AI score0.00796EPSS

Exploits1References9

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by