Lucene search
+L

37 matches found

euvd
euvd
added 2026/06/30 12:31 a.m.8 views

EUVD-2026-40234

Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass...

6.3CVSS5.8AI score0.00147EPSS
Exploits0References5
vulnrichment
vulnrichment
added 2026/06/29 9:16 p.m.6 views

CVE-2026-57997 Strapi users-permissions - JWT Algorithm Confusion via Missing Algorithm Configuration

Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass...

6.3CVSS5.8AI score0.00147EPSS
Exploits0References4
cvelist
cvelist
added 2026/06/29 9:16 p.m.26 views

CVE-2026-57997 Strapi users-permissions - JWT Algorithm Confusion via Missing Algorithm Configuration

Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass...

6.3CVSS0.00147EPSS
Exploits0References4
osv
osv
added 2026/06/29 9:16 p.m.5 views

CVE-2026-57997 Strapi users-permissions - JWT Algorithm Confusion via Missing Algorithm Configuration

Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass...

6.3CVSS6AI score0.00147EPSS
Exploits0References6
cve
cve
added 2026/05/14 6:32 p.m.47 views

CVE-2025-64526

CVE-2025-64526 (Strapi) affects the @strapi/plugin-users-permissions rate-limiting key construction. In Strapi versions prior to 5.45.0, the rate-limit middleware used the request body’s email field as part of the rate-limit key (userIdentifier = ctx.request.body.email), even on routes where the ...

6.9CVSS6AI score0.00492EPSS
Exploits0References4Affected Software1
vulnrichment
vulnrichment
added 2026/05/14 6:32 p.m.10 views

CVE-2025-64526 Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from ctx.request.body.email, including on routes whose body schema does not contain an email field...

6.9CVSS6AI score0.00492EPSS
Exploits0References4
cvelist
cvelist
added 2026/05/14 6:32 p.m.49 views

CVE-2025-64526 Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from ctx.request.body.email, including on routes whose body schema does not contain an email field...

6.9CVSS0.00492EPSS
Exploits0References4
osv
osv
added 2026/05/14 6:32 p.m.2 views

CVE-2025-64526 Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from ctx.request.body.email, including on routes whose body schema does not contain an email field...

6.9CVSS6.1AI score0.00492EPSS
Exploits0References6
cnnvd
cnnvd
added 2026/05/14 12:0 a.m.41 views

Strapi 安全漏洞

Strapi is an open-source content management system CMS developed by the Strapi community in France. Versions of Strapi prior to 5.45.0 contained security vulnerabilities. These vulnerabilities stemmed from a rate-limiting mechanism in the users-permissions plugin, which derived rate-limiting keys...

6.9CVSS6AI score0.00492EPSS
Exploits0References2
vulnersosv
vulnersosv
added 2026/05/13 8:2 p.m.11 views

@piksail/strapi-plugin-publish-coolify (=0.0.1), stronges (=0.1.1) +1 more potentially affected by CVE-2026-22706 via @strapi/plugin-users-permissions (>=5.11.0 <=5.30.0)

@strapi/plugin-users-permissions NPM version =5.11.0, =5.30.0 is affected by a known vulnerability. The following packages have a transitive dependency on @strapi/plugin-users-permissions and may be impacted: - @piksail/strapi-plugin-publish-coolify =0.0.1 - stronges =0.1.1 - test-lead =0.1.0...

6.5CVSS5.8AI score0.00272EPSS
Exploits0
github
github
added 2026/05/13 8:2 p.m.11 views

Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

Summary of CVE-2025-64526 Vulnerability Details - CVE: CVE-2025-64526 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N 6.9 — Medium - Affected Versions: @strapi/plugin-users-permissions =5.45.0 Description of CVE-2025-64526 In Strapi versions prior to 5.45.0, th...

6.9CVSS6AI score0.00492EPSS
Exploits0References6Affected Software1
vulnersosv
vulnersosv
added 2026/05/13 8:2 p.m.8 views

@piksail/strapi-plugin-publish-coolify (=0.0.1), cypherscan-strapi (=0.1.1) +4 more potentially affected by CVE-2025-64526 via @strapi/plugin-users-permissions (>=5.11.0 <=5.42.1)

@strapi/plugin-users-permissions NPM version =5.11.0, =0.1.0, =0.1.4 - stronges =0.1.1 - test-lead =0.1.0 Source cves: CVE-2025-64526 Source advisory: SNYK:JS-STRAPIPLUGINUSERSPERMISSIONS-16683088...

6.9CVSS5.8AI score0.00492EPSS
Exploits0
osv
osv
added 2026/05/13 8:2 p.m.22 views

GHSA-7MQX-WWH4-F9FW Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

Summary of CVE-2025-64526 Vulnerability Details - CVE: CVE-2025-64526 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N 6.9 — Medium - Affected Versions: @strapi/plugin-users-permissions =5.45.0 Description of CVE-2025-64526 In Strapi versions prior to 5.45.0, th...

6.9CVSS6AI score0.00492EPSS
Exploits0References6
ptsecurity
ptsecurity
added 2026/05/13 12:0 a.m.20 views

PT-2026-40833

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 5.45.0 Description The rate-limit middleware in the users-permissions plugin incorrectly derives its rate-limit key using ctx.request.body.email, even on routes where the body schema does not require an email field, su...

6.9CVSS6AI score0.00492EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2025/10/27 12:0 a.m.9 views

PT-2025-43988

Name of the Vulnerable Software and Affected Versions BAE SOCET GXP versions prior to 4.6.0.2 Description The SOCET GXP Job Service lacks authentication. This may permit remote users to submit jobs, or local users to submit jobs that execute with the permissions of other users. Recommendations...

8.8CVSS6.6AI score0.00393EPSS
Exploits0References4
euvd
euvd
added 2025/10/07 12:30 a.m.7 views

EUVD-2016-1311

Malware in sbrugna...

7.8CVSS7.6AI score0.00394EPSS
Exploits0References4
euvd
euvd
added 2025/10/07 12:30 a.m.6 views

EUVD-2012-4181

Malware in sbrugna...

6.8CVSS6.3AI score0.0239EPSS
Exploits2References11
euvd
euvd
added 2025/10/07 12:30 a.m.7 views

EUVD-2016-0030

Malware in sbrugna...

5.3CVSS5.6AI score0.02219EPSS
Exploits0References16
euvd
euvd
added 2025/10/07 12:30 a.m.6 views

EUVD-2009-0804

Malware in sbrugna...

6.5CVSS9.4AI score0.01096EPSS
Exploits0References4
euvd
euvd
added 2025/10/07 12:30 a.m.10 views

EUVD-2000-0867

Malware in sbrugna...

3.6CVSS6.4AI score0.00745EPSS
Exploits1References4
Rows per page
Query Builder