Lucene search
K
KeystonejsKeystone

13 matches found

CVE
CVE
added 2023/08/15 5:45 p.m.2516 views

CVE-2023-40027

Keystone (Node.js) vulnerability CVE-2023-40027: When ui.isAccessAllowed is undefined, the adminMeta GraphQL query is publicly accessible without a session, potentially exposing admin metadata. Affected users are those relying on a session strategy to restrict access; developers using @keystone-6...

5.3CVSS4.7AI score0.00469EPSS
CVE
CVE
added 2022/01/11 11:20 p.m.98 views

CVE-2022-0087

Keystone 6 login page vulnerability (CVE-2022-0087) involves an open redirect via the from= URL parameter, which can be escalated to reflected XSS. The issue is highlighted in the Nuclei template for Keystone 6 Login Page, describing an open redirect and potential XSS on the authentication flow. ...

7.1CVSS6.2AI score0.02601EPSS
CVE
CVE
added 2025/05/05 6:53 p.m.83 views

CVE-2025-46720

Keystone (Node.js CMS) prior to 6.5.0 has an Access Control Bypass in update/delete mutations: when a where clause uses multiple unique filters, the isFilterable check can be bypassed, enabling inference of hidden field values. The issue is patched in @keystone-6/core v6.5.0. Mitigations from the...

4.3CVSS3.8AI score0.00234EPSS
CVE
CVE
added 2017/10/24 9:0 p.m.78 views

CVE-2017-15878

KeystoneJS prior to 4.0.0-beta.7 contains a cross-site scripting (XSS) flaw in fields/types/markdown/MarkdownType.js exposed via the Contact Us feature. Multiple sources (GHSA entry and exploit reports) describe this as an unauthenticated or remote-exploit path that can deliver arbitrary JavaScri...

6.1CVSS5.2AI score0.03415EPSS
CVE
CVE
added 2017/10/24 9:0 p.m.76 views

CVE-2017-15879

CVE-2017-15879 affects KeystoneJS before 4.0.0-beta.7. The CSV injection vulnerability arises in the CSV export path via values mishandled in admin/server/api/download.js and lib/list/getCSVData.js, enabling Excel macro/formula injection. Documentation indicates the issue exists prior to version ...

8.8CVSS8.6AI score0.07217EPSS
Web
CVE
CVE
added 2022/11/03 12:0 a.m.75 views

CVE-2022-39382

Keystone (Node.js) vulnerability CVE-2022-39382 affects @keystone-6/core versions 3.0.0 and 3.0.1. The issue arises when NODE_ENV is inlined to the string "development" for user code in production builds, potentially triggering security‑sensitive functionality unintentionally. The vulnerability i...

9.8CVSS9.6AI score0.01486EPSS
CVE
CVE
added 2017/10/24 10:0 p.m.66 views

CVE-2017-15881

Technical details for CVE-2017-15881 are not publicly available in the provided documents. Monitor for updates.

4.8CVSS5.1AI score0.01215EPSS
CVE
CVE
added 2017/11/06 8:0 a.m.64 views

CVE-2017-16570

KeystoneJS vulnerability CVE-2017-16570 affects KeystoneJS before 4.0.0-beta.7. The issue is a Cross-Site Request Forgery (CSRF) bypass where requests can bypass CSRF protection by removing the CSRF parameter/value, effectively not rejecting requests that lack an X-CSRF-Token header. Public detai...

8.8CVSS8.6AI score0.02213EPSS
CVE
CVE
added 2022/05/16 1:28 p.m.62 views

CVE-2022-29354

CVE-2022-29354 concerns Keystone CMS, version 4.2.1. The vulnerability is in the File Upload module, where an arbitrary file upload allows an attacker to execute arbitrary code via a crafted file. The description and connected sources confirm the affected software/component and the risk of remote...

9.8CVSS9.4AI score0.0241EPSS
CVE
CVE
added 2022/10/25 12:0 a.m.61 views

CVE-2022-39322

The CVE-2022-39322 entry affects the Keystone 6 ecosystem: @keystone-6/core prior to version 2.3.1, specifically 2.2.0 up to 2.3.0, is vulnerable to a field-level access-control bypass for multiselect fields. The vulnerability arises because field-level access control is not applied to multiselec...

9.8CVSS9.6AI score0.01055EPSS
CVE
CVE
added 2018/05/29 8:0 p.m.50 views

CVE-2015-9240

CVE-2015-9240 affects the keystone node module prior to 0.3.16. The vulnerability is a partial authentication bypass in the default sign-in flow: if an attacker provides a full and correct password but only a partial email address, authentication can be granted. Affected component is the keystone...

7.5CVSS7.5AI score0.0089EPSS
CVE
CVE
added 2023/06/13 4:31 p.m.50 views

CVE-2023-34247

Keystone is a Node.js-based CMS. There is an Open Redirect in the @keystone-6/auth package up to version 7.0.0, where the redirect leading '/' filter can be bypassed. An attacker may cause users to be redirected to external domains instead of the relative host. Remediation is to apply the patch f...

6.1CVSS5.1AI score0.00407EPSS
CVE
CVE
added 2026/03/24 7:8 p.m.9 views

CVE-2026-33326

Summary: Keystone 6 core prior to 6.5.2 had a bypass in isFilterable for findMany via the cursor parameter, allowing potential disclosure by confirming protected field values. The root cause is that the cursor input type reused UniqueWhere checks not patched by the previous fix for CVE-2025-46720...

4.3CVSS5.7AI score0.00257EPSS