39 matches found
CVE-2023-38507
CVE-2023-38507 affects Strapi up to version 4.12.0 (prior to 4.12.1) and describes an improper rate-limiting mechanism on the admin login that could be circumvented, enabling brute-force login attempts. Multiple connected documents corroborate that the vulnerability stems from a login-rate-limit ...
CVE-2023-34235
Strapi (pre-4.10.8) is vulnerable to information disclosure due to a Knex query that allows changing the default field prefix (t(number)). If the t-number prefix is used, private fields like password can be exposed, as t1.password is not protected. The issue can lead to filtering attacks affectin...
CVE-2021-46440
The CVE-2021-46440 issue affects Strapi (DOCUMENTATION plugin) prior to 3.6.9 and prior to 4.1.5. It stores passwords in a recoverable format, allowing an attacker who can access a victim’s HTTP request to retrieve the cookie, base64-decode it, and obtain a cleartext password. This enables access...
CVE-2022-30617
The CVE-2022-30617 issue affects Strapi where an authenticated admin-panel user can read private data (e.g., emails, password reset tokens) for other admin users via related content in the JSON response. This leakage occurs across relationships (e.g., content created/updated by another user) and ...
CVE-2022-30618
The CVE-2022-30618 entry describes a vulnerability in Strapi where an authenticated user with access to the Strapi admin panel can view private data (e.g., email, password reset tokens) of API users when content types have relationships to API users (from: users-permissions). The leak occurs in J...
CVE-2022-29894
CVE-2022-29894 affects Strapi v3.x.x and earlier, with a stored cross-site scripting vulnerability in the file upload function that can cause an arbitrary script to execute in the browser of a user logging in with administrative privileges. The issue is consistently described across multiple sour...
CVE-2019-18818
The CVE-2019-18818 vulnerability affects Strapi CMS versions up to 3.0.0-beta.17.5, caused by a mishandling of password resets in admin/Auth.js and users-permissions/Auth.js. This leads to an unauthenticated admin password reset and privilege escalation, enabling unauthorized admin access. Remedi...
CVE-2022-31367
Strapi CMS (versions prior to 3.6.10 and 4.x prior to 4.1.10) is affected by a SQL injection vulnerability caused by incorrect handling of hidden attributes in admin API responses. This design/logic flaw allows an attacker to exfiltrate database data. Remediation: upgrade to Strapi 3.6.10 or 4.1....
CVE-2023-22894
Strapi vulnerability CVE-2023-22894 (affecting Strapi before 4.8.0) allows unauthenticated attackers to infer sensitive user details by manipulating public collection query filters. This can reveal password hashes and password reset tokens for administrators and API users, potentially leading to ...
CVE-2023-22621
CVE-2023-22621 affects Strapi up to version 4.5.5. An authenticated attacker with admin access can exploit Server-Side Template Injection (SSTI) in email templates to achieve arbitrary code execution on the server. Multiple connected sources confirm the vulnerability vector and potential RCE via ...
CVE-2019-19609
CVE-2019-19609 affects Strapi framework versions before 3.0.0-beta.17.8. The vulnerability is Remote Code Execution in the Admin panel’s Install/Uninstall Plugin components caused by unsanitized plugin names, allowing execution of arbitrary shell commands via execa. Documents show authenticated a...
CVE-2023-22893
Affected software : Strapi (open-source CMS) prior to 4.5.6. Vulnerability : Strapi versions up to 4.5.5/4.5.6-era did not verify access or ID tokens during the OAuth flow when using the AWS Cognito login provider, allowing a remote attacker to forge a token and bypass authentication. Root cause ...
CVE-2022-0764
Strapi (strapi/strapi) is affected by CVE-2022-0764: an OS command injection vulnerability in versions prior to 4.1.0 due to improper sanitization of user input when creating an app via the template CLI argument. Impact is arbitrary command execution with local access. Mitigation: update to 4.1.0...
CVE-2023-37263
CVE-2023-37263 affects Strapi (open-source headless CMS). The issue: field-level permissions are not respected in the relationship title, causing a field the user should not see to be visible when a relation includes that field. Impact is described as information disclosure under older releases. ...
CVE-2022-27263
CVE-2022-27263 describes an arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 that allows an attacker to execute arbitrary code via a crafted file. The CVE is corroborated by multiple connected records (e.g., Red Hat, OSV, GHSA, NVD) with the same description. The und...
CVE-2022-32114
CVE-2022-32114 describes an unrestricted file upload in Strapi 4.1.12 via the Add New Assets function, enabling an attacker to cause XSS by uploading a crafted PDF. The notes indicate that media upload permissions and public assets exposure can influence risk, with potential to upload PDFs contai...
CVE-2024-37818
Strapi v4.24.4 is affected by a Server-Side Request Forgery (SSRF) through the /strapi.io/_next/image endpoint. The issue allows an attacker to scan internal ports or access sensitive information via a crafted GET request. Root cause cited across sources as improper URL parameter handling in the ...
CVE-2024-34065
Summary: CVE-2024-34065 affects Strapi’s @strapi/plugin-users-permissions. By abusing two chained issues (Open Redirect and session token in a URL) prior to 4.24.2, an unauthenticated attacker can bypass authentication and obtain a third‑party token. The attack relies on dynamic OAuth callback co...
CVE-2020-8123
CVE-2020-8123 affects Strapi up to v3.0.0-beta.18.3 and earlier. The vulnerability arises in the admin console where installPlugin/uninstallPlugin paths pass user input to execa after a regex check, allowing argument injection via inputs like -h, --help, -v, or --version. This can cause the serve...
CVE-2023-39345
CVE-2023-39345 affects the Strapi open‑source CMS. According to the sources, versions prior to 4.13.1 did not properly restrict write access to fields marked as private in the user registration endpoint, allowing a malicious user to modify their own records. The issue is addressed in version 4.13...
CVE-2021-28128
Strapi up to version 3.6.0 contains an auth weakness in the admin panel: a user can change their own password without entering the current one. If an attacker gains any valid session, they can take over the account by changing the password. This aligns with the CVSS3.1/8.1 (HIGH) impact noted in ...
CVE-2024-29181
Strapi is affected: prior to 4.19.1, super admins can create a collection where items are associated to another collection, enabling users with the Author role to view associated items they did not create. This data leakage affects the @strapi/plugin-content-manager workflow; multiple sources (NV...
CVE-2020-27664
Strapi prior to 3.2.5 contains a vulnerability in admin/src/containers/InputModalStepperProvider/index.js enabling an unwanted proxy/ URL parameter handling ("/proxy?url=") that could be abused. Public sources (NVD entry CVE-2020-27664, Red Hat advisory, GitHub/OSSV and GHSA) document this as an ...
CVE-2024-52588
Summary (CVE-2024-52588): Strapi CMS prior to 4.25.2 is vulnerable to SSRF via the Webhooks URL field, where entering a local domain can cause the server to fetch itself. Affected component is the Webhooks URL handling; root cause is improper validation/handling of internal destinations. Impact i...
CVE-2023-36472
CVE-2023-36472 affects Strapi (before 4.11.7). The /content-manager/relations route allows an actor with the configure view permission to access private fields, including user reset password tokens, enabling information disclosure. The issue is fixed in version 4.11.7. If exploiting, the impact i...
CVE-2020-27665
CVE-2020-27665 affects Strapi before 3.2.5, where the admin::hasPermissions restriction is not enforced for CTB (content-type-builder) routes. The root cause is missing authorization controls on CTB routes, enabling potential unauthorized access to resources via CTB endpoints. Public details in c...
CVE-2020-27666
Strapi before 3.2.5 is affected by a stored XSS in the WYSIWYG editor’s preview feature. The vulnerability arises from unvalidated input being stored and subsequently rendered, enabling an attacker to inject scripts that run in a victim’s browser. A fix is available in Strapi 3.2.5 (see reference...
CVE-2023-34093
Strapi (open-source CMS) prior to version 4.10.8 is vulnerable to information disclosure due to improper handling of Content-Type attributes. The issue arises from the removal of the privateAttributes getter when users extend or modify content-types, which can cause any attribute to become public...
CVE-2024-31217
CVE-2024-31217 is a DoS in Strapi’s media upload via @strapi/plugin-upload prior to version 4.22.0. The vulnerability can crash the server during file uploads without restart, affecting both development and production environments. The issue arises when errors are mishandled, causing the server t...
CVE-2020-13961
CVE-2020-13961 affects Strapi before 3.0.2. A remote authenticated attacker can bypass security restrictions by exploiting templates stored in a global variable without sanitation, compelling an update to email templates for password reset and account confirmation via a crafted request. Impact is...
CVE-2026-27886
CVE-2026-27886 affects Strapi (open source headless CMS). Versions prior to 5.37.0 (from 4.0.0 onward) fail to sufficiently sanitize query parameters when filtering via relational fields. An unauthenticated attacker can use the public Content API’s where parameter on fields like updatedBy to perf...
CVE-2025-64526
CVE-2025-64526 (Strapi) affects the @strapi/plugin-users-permissions rate-limiting key construction. In Strapi versions prior to 5.45.0, the rate-limit middleware used the request body’s email field as part of the rate-limit key (userIdentifier = ctx.request.body.email), even on routes where the ...
CVE-2026-22599
Strapi Content-Type Builder contains a database-query injection in the write API for the 4.x and 5.x branches prior to 4.26.1 and 5.33.2. An authenticated administrator could pass arbitrary SQL via column.defaultTo (as [value, { isRaw: true }]) to Knex during schema migrations, enabling statement...
CVE-2026-22707
In Strapi, prior to 5.33.3, the Upload plugin’s Content API endpoints did not enforce the administrator-configured MIME restrictions, allowing an authenticated Content API user to upload disallowed file types (e.g., HTML, SVG). The Content API handlers bypassed magic-byte MIME checks and allow/de...
CVE-2024-56143
Strapi 5.0.0–5.5.1 is vulnerable due to improper sanitization of the document service lookup operator for private fields, enabling an attacker to access sensitive data (e.g., admin passwords, reset tokens). The issue is fixed in Strapi 5.5.2. Affected software, root cause, and impact are corrobor...
CVE-2026-22706
Strapi (prior to 5.33.3) did not revoke refresh-token sessions on password change/reset when deviceId was not supplied, allowing an attacker with a refresh token to mint new access tokens until expiry. The fix in 5.33.3 invalidates all user refresh tokens on every password change/reset and issues...
CVE-2025-53092
Strapi core (open-source headless CMS) contains a CORS misconfiguration in default installations prior to version 5.20.0: the Origin header is reflected back in Access-Control-Allow-Origin without proper validation or whitelisting, enabling an attacker-controlled site to send credentialed request...
CVE-2026-57997
The CVE concerns the Strapi users-permissions plugin where JWT algorithm restrictions are not enforced if plugin::users-permissions.jwt.algorithm is not explicitly configured. This allows the server to accept HS384 and HS512 tokens alongside HS256. An attacker who possesses the jwtSecret can mint...
CVE-2025-25298
CVE-2025-25298 concerns Strapi’s @strapi/core up to v5.10.3, where bcryptjs-based password hashing does not enforce a maximum password length. Passwords longer than 72 bytes are silently truncated by bcryptjs, allowing a user to register with an overlong password and authenticate using only the f...