Lucene search
K
StrapiStrapi

39 matches found

CVE
CVE
added 2023/09/15 7:15 p.m.2529 views

CVE-2023-38507

CVE-2023-38507 affects Strapi up to version 4.12.0 (prior to 4.12.1) and describes an improper rate-limiting mechanism on the admin login that could be circumvented, enabling brute-force login attempts. Multiple connected documents corroborate that the vulnerability stems from a login-rate-limit ...

9.8CVSS8.3AI score0.00761EPSS
CVE
CVE
added 2023/07/25 5:24 p.m.2509 views

CVE-2023-34235

Strapi (pre-4.10.8) is vulnerable to information disclosure due to a Knex query that allows changing the default field prefix (t(number)). If the t-number prefix is used, private fields like password can be exposed, as t1.password is not protected. The issue can lead to filtering attacks affectin...

8.6CVSS7.8AI score0.00906EPSS
CVE
CVE
added 2022/05/03 5:3 p.m.1351 views

CVE-2021-46440

The CVE-2021-46440 issue affects Strapi (DOCUMENTATION plugin) prior to 3.6.9 and prior to 4.1.5. It stores passwords in a recoverable format, allowing an attacker who can access a victim’s HTTP request to retrieve the cookie, base64-decode it, and obtain a cleartext password. This enables access...

7.5CVSS7.3AI score0.02786EPSS
Web
CVE
CVE
added 2022/05/19 5:7 p.m.556 views

CVE-2022-30617

The CVE-2022-30617 issue affects Strapi where an authenticated admin-panel user can read private data (e.g., emails, password reset tokens) for other admin users via related content in the JSON response. This leakage occurs across relationships (e.g., content created/updated by another user) and ...

9CVSS8.5AI score0.01343EPSS
CVE
CVE
added 2022/05/19 5:8 p.m.534 views

CVE-2022-30618

The CVE-2022-30618 entry describes a vulnerability in Strapi where an authenticated user with access to the Strapi admin panel can view private data (e.g., email, password reset tokens) of API users when content types have relationships to API users (from: users-permissions). The leak occurs in J...

7.5CVSS7.5AI score0.00902EPSS
CVE
CVE
added 2022/06/13 4:50 a.m.481 views

CVE-2022-29894

CVE-2022-29894 affects Strapi v3.x.x and earlier, with a stored cross-site scripting vulnerability in the file upload function that can cause an arbitrary script to execute in the browser of a user logging in with administrative privileges. The issue is consistently described across multiple sour...

4.8CVSS4.9AI score0.00712EPSS
CVE
CVE
added 2019/11/07 9:2 p.m.424 views

CVE-2019-18818

The CVE-2019-18818 vulnerability affects Strapi CMS versions up to 3.0.0-beta.17.5, caused by a mishandling of password resets in admin/Auth.js and users-permissions/Auth.js. This leads to an unauthenticated admin password reset and privilege escalation, enabling unauthorized admin access. Remedi...

9.8CVSS9.3AI score0.97639EPSS
In wildWeb
CVE
CVE
added 2022/09/27 1:2 p.m.382 views

CVE-2022-31367

Strapi CMS (versions prior to 3.6.10 and 4.x prior to 4.1.10) is affected by a SQL injection vulnerability caused by incorrect handling of hidden attributes in admin API responses. This design/logic flaw allows an attacker to exfiltrate database data. Remediation: upgrade to Strapi 3.6.10 or 4.1....

8.8CVSS8.6AI score0.01321EPSS
CVE
CVE
added 2023/04/19 12:0 a.m.199 views

CVE-2023-22894

Strapi vulnerability CVE-2023-22894 (affecting Strapi before 4.8.0) allows unauthenticated attackers to infer sensitive user details by manipulating public collection query filters. This can reveal password hashes and password reset tokens for administrators and API users, potentially leading to ...

9.8CVSS5.2AI score0.01658EPSS
CVE
CVE
added 2023/04/19 12:0 a.m.184 views

CVE-2023-22621

CVE-2023-22621 affects Strapi up to version 4.5.5. An authenticated attacker with admin access can exploit Server-Side Template Injection (SSTI) in email templates to achieve arbitrary code execution on the server. Multiple connected sources confirm the vulnerability vector and potential RCE via ...

10CVSS7.3AI score0.76825EPSS
In wild
CVE
CVE
added 2019/12/05 7:44 p.m.167 views

CVE-2019-19609

CVE-2019-19609 affects Strapi framework versions before 3.0.0-beta.17.8. The vulnerability is Remote Code Execution in the Admin panel’s Install/Uninstall Plugin components caused by unsanitized plugin names, allowing execution of arbitrary shell commands via execa. Documents show authenticated a...

9CVSS7.3AI score0.54081EPSS
CVE
CVE
added 2023/04/19 12:0 a.m.151 views

CVE-2023-22893

Affected software : Strapi (open-source CMS) prior to 4.5.6. Vulnerability : Strapi versions up to 4.5.5/4.5.6-era did not verify access or ID tokens during the OAuth flow when using the AWS Cognito login provider, allowing a remote attacker to forge a token and bypass authentication. Root cause ...

8.2CVSS7.7AI score0.04158EPSS
CVE
CVE
added 2022/02/26 2:55 p.m.108 views

CVE-2022-0764

Strapi (strapi/strapi) is affected by CVE-2022-0764: an OS command injection vulnerability in versions prior to 4.1.0 due to improper sanitization of user input when creating an app via the template CLI argument. Impact is arbitrary command execution with local access. Mitigation: update to 4.1.0...

7.2CVSS6.5AI score0.00782EPSS
CVE
CVE
added 2023/09/15 6:57 p.m.105 views

CVE-2023-37263

CVE-2023-37263 affects Strapi (open-source headless CMS). The issue: field-level permissions are not respected in the relationship title, causing a field the user should not see to be visible when a relation includes that field. Impact is described as information disclosure under older releases. ...

6.8CVSS5AI score0.00534EPSS
CVE
CVE
added 2022/04/12 4:29 p.m.102 views

CVE-2022-27263

CVE-2022-27263 describes an arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 that allows an attacker to execute arbitrary code via a crafted file. The CVE is corroborated by multiple connected records (e.g., Red Hat, OSV, GHSA, NVD) with the same description. The und...

9.8CVSS9.5AI score0.03018EPSS
CVE
CVE
added 2022/07/13 12:0 a.m.94 views

CVE-2022-32114

CVE-2022-32114 describes an unrestricted file upload in Strapi 4.1.12 via the Add New Assets function, enabling an attacker to cause XSS by uploading a crafted PDF. The notes indicate that media upload permissions and public assets exposure can influence risk, with potential to upload PDFs contai...

8.8CVSS8.2AI score0.01578EPSS
CVE
CVE
added 2024/06/12 2:54 p.m.73 views

CVE-2024-34065

Summary: CVE-2024-34065 affects Strapi’s @strapi/plugin-users-permissions. By abusing two chained issues (Open Redirect and session token in a URL) prior to 4.24.2, an unauthenticated attacker can bypass authentication and obtain a third‑party token. The attack relies on dynamic OAuth callback co...

8.1CVSS7.5AI score0.0071EPSS
CVE
CVE
added 2024/06/20 12:0 a.m.73 views

CVE-2024-37818

Strapi v4.24.4 is affected by a Server-Side Request Forgery (SSRF) through the /strapi.io/_next/image endpoint. The issue allows an attacker to scan internal ports or access sensitive information via a crafted GET request. Root cause cited across sources as improper URL parameter handling in the ...

8.6CVSS8.4AI score0.00556EPSS
CVE
CVE
added 2020/02/04 7:8 p.m.72 views

CVE-2020-8123

CVE-2020-8123 affects Strapi up to v3.0.0-beta.18.3 and earlier. The vulnerability arises in the admin console where installPlugin/uninstallPlugin paths pass user input to execa after a regex check, allowing argument injection via inputs like -h, --help, -v, or --version. This can cause the serve...

4.9CVSS5.1AI score0.01145EPSS
CVE
CVE
added 2023/11/06 6:26 p.m.69 views

CVE-2023-39345

CVE-2023-39345 affects the Strapi open‑source CMS. According to the sources, versions prior to 4.13.1 did not properly restrict write access to fields marked as private in the user registration endpoint, allowing a malicious user to modify their own records. The issue is addressed in version 4.13...

7.6CVSS7.3AI score0.00496EPSS
CVE
CVE
added 2021/05/06 1:49 p.m.66 views

CVE-2021-28128

Strapi up to version 3.6.0 contains an auth weakness in the admin panel: a user can change their own password without entering the current one. If an attacker gains any valid session, they can take over the account by changing the password. This aligns with the CVSS3.1/8.1 (HIGH) impact noted in ...

8.1CVSS8AI score0.0128EPSS
CVE
CVE
added 2024/06/12 2:46 p.m.64 views

CVE-2024-29181

Strapi is affected: prior to 4.19.1, super admins can create a collection where items are associated to another collection, enabling users with the Author role to view associated items they did not create. This data leakage affects the @strapi/plugin-content-manager workflow; multiple sources (NV...

3.5CVSS3.5AI score0.00385EPSS
CVE
CVE
added 2020/10/22 6:19 p.m.62 views

CVE-2020-27664

Strapi prior to 3.2.5 contains a vulnerability in admin/src/containers/InputModalStepperProvider/index.js enabling an unwanted proxy/ URL parameter handling ("/proxy?url=") that could be abused. Public sources (NVD entry CVE-2020-27664, Red Hat advisory, GitHub/OSSV and GHSA) document this as an ...

9.8CVSS9.3AI score0.02264EPSS
Web
CVE
CVE
added 2025/05/29 9:2 a.m.62 views

CVE-2024-52588

Summary (CVE-2024-52588): Strapi CMS prior to 4.25.2 is vulnerable to SSRF via the Webhooks URL field, where entering a local domain can cause the server to fetch itself. Affected component is the Webhooks URL handling; root cause is improper validation/handling of internal destinations. Impact i...

7.5CVSS6.8AI score0.00483EPSS
CVE
CVE
added 2023/09/15 6:54 p.m.61 views

CVE-2023-36472

CVE-2023-36472 affects Strapi (before 4.11.7). The /content-manager/relations route allows an actor with the configure view permission to access private fields, including user reset password tokens, enabling information disclosure. The issue is fixed in version 4.11.7. If exploiting, the impact i...

5.8CVSS5.3AI score0.00565EPSS
CVE
CVE
added 2020/10/22 6:19 p.m.60 views

CVE-2020-27665

CVE-2020-27665 affects Strapi before 3.2.5, where the admin::hasPermissions restriction is not enforced for CTB (content-type-builder) routes. The root cause is missing authorization controls on CTB routes, enabling potential unauthorized access to resources via CTB endpoints. Public details in c...

7.5CVSS7.5AI score0.01195EPSS
CVE
CVE
added 2020/10/22 6:19 p.m.59 views

CVE-2020-27666

Strapi before 3.2.5 is affected by a stored XSS in the WYSIWYG editor’s preview feature. The vulnerability arises from unvalidated input being stored and subsequently rendered, enabling an attacker to inject scripts that run in a victim’s browser. A fix is available in Strapi 3.2.5 (see reference...

5.4CVSS5.1AI score0.00589EPSS
CVE
CVE
added 2023/07/25 2:54 p.m.58 views

CVE-2023-34093

Strapi (open-source CMS) prior to version 4.10.8 is vulnerable to information disclosure due to improper handling of Content-Type attributes. The issue arises from the removal of the privateAttributes getter when users extend or modify content-types, which can cause any attribute to become public...

7.1CVSS5.8AI score0.006EPSS
CVE
CVE
added 2024/06/12 2:50 p.m.55 views

CVE-2024-31217

CVE-2024-31217 is a DoS in Strapi’s media upload via @strapi/plugin-upload prior to version 4.22.0. The vulnerability can crash the server during file uploads without restart, affecting both development and production environments. The issue arises when errors are mishandled, causing the server t...

6.5CVSS5.4AI score0.00736EPSS
CVE
CVE
added 2020/06/19 4:29 p.m.54 views

CVE-2020-13961

CVE-2020-13961 affects Strapi before 3.0.2. A remote authenticated attacker can bypass security restrictions by exploiting templates stored in a global variable without sanitation, compelling an update to email templates for password reset and account confirmation via a crafted request. Impact is...

6.5CVSS6.3AI score0.01666EPSS
CVE
CVE
added 2026/05/14 6:43 p.m.46 views

CVE-2026-27886

CVE-2026-27886 affects Strapi (open source headless CMS). Versions prior to 5.37.0 (from 4.0.0 onward) fail to sufficiently sanitize query parameters when filtering via relational fields. An unauthenticated attacker can use the public Content API’s where parameter on fields like updatedBy to perf...

9.2CVSS5.8AI score0.00612EPSS
Web
CVE
CVE
added 2026/05/14 6:32 p.m.41 views

CVE-2025-64526

CVE-2025-64526 (Strapi) affects the @strapi/plugin-users-permissions rate-limiting key construction. In Strapi versions prior to 5.45.0, the rate-limit middleware used the request body’s email field as part of the rate-limit key (userIdentifier = ctx.request.body.email), even on routes where the ...

6.9CVSS6AI score0.00492EPSS
Web
CVE
CVE
added 2026/05/14 6:35 p.m.33 views

CVE-2026-22599

Strapi Content-Type Builder contains a database-query injection in the write API for the 4.x and 5.x branches prior to 4.26.1 and 5.33.2. An authenticated administrator could pass arbitrary SQL via column.defaultTo (as [value, { isRaw: true }]) to Knex during schema migrations, enabling statement...

9.3CVSS6.5AI score0.01178EPSS
Web
CVE
CVE
added 2026/05/14 6:40 p.m.33 views

CVE-2026-22707

In Strapi, prior to 5.33.3, the Upload plugin’s Content API endpoints did not enforce the administrator-configured MIME restrictions, allowing an authenticated Content API user to upload disallowed file types (e.g., HTML, SVG). The Content API handlers bypassed magic-byte MIME checks and allow/de...

5.4CVSS5.8AI score0.00195EPSS
Web
CVE
CVE
added 2025/10/16 4:7 p.m.22 views

CVE-2024-56143

Strapi 5.0.0–5.5.1 is vulnerable due to improper sanitization of the document service lookup operator for private fields, enabling an attacker to access sensitive data (e.g., admin passwords, reset tokens). The issue is fixed in Strapi 5.5.2. Affected software, root cause, and impact are corrobor...

8.2CVSS6.4AI score0.00383EPSS
CVE
CVE
added 2026/05/14 6:38 p.m.19 views

CVE-2026-22706

Strapi (prior to 5.33.3) did not revoke refresh-token sessions on password change/reset when deviceId was not supplied, allowing an attacker with a refresh token to mint new access tokens until expiry. The fix in 5.33.3 invalidates all user refresh tokens on every password change/reset and issues...

6.5CVSS5.8AI score0.00272EPSS
CVE
CVE
added 2025/10/16 4:29 p.m.13 views

CVE-2025-53092

Strapi core (open-source headless CMS) contains a CORS misconfiguration in default installations prior to version 5.20.0: the Origin header is reflected back in Access-Control-Allow-Origin without proper validation or whitelisting, enabling an attacker-controlled site to send credentialed request...

6.5CVSS6.3AI score0.00263EPSS
CVE
CVE
added 2026/06/29 9:16 p.m.13 views

CVE-2026-57997

The CVE concerns the Strapi users-permissions plugin where JWT algorithm restrictions are not enforced if plugin::users-permissions.jwt.algorithm is not explicitly configured. This allows the server to accept HS384 and HS512 tokens alongside HS256. An attacker who possesses the jwtSecret can mint...

6.3CVSS5.8AI score0.00147EPSS
CVE
CVE
added 2025/10/16 4:21 p.m.11 views

CVE-2025-25298

CVE-2025-25298 concerns Strapi’s @strapi/core up to v5.10.3, where bcryptjs-based password hashing does not enforce a maximum password length. Passwords longer than 72 bytes are silently truncated by bcryptjs, allowing a user to register with an overlong password and authenticate using only the f...

6.3CVSS6.6AI score0.00383EPSS