@keystone-6/core

npm5 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting @keystone-6/corepage 1 of 1

CVE-2022-39322CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.3.1
2022-10-25
@keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their `multiselect` fields to use the field-level access control - if co…
CVE-2022-39382CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.0.2
2022-11-03
Keystone is a headless CMS for Node.js — built with GraphQL and React.`@keystone-6/core@3.0.0 || 3.0.1` users that use `NODE_ENV` to trigger security-sensitive functionality in their production builds are vulnerable to `NODE_ENV` being i…
CVE-2023-40027LOWCVSS 3.7EG 3.7✓ Fixed in 5.5.1
2023-08-15
Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When `ui.isAccessAllowed` is set as `undefined`, the `adminMeta` GraphQL query is publicly accessible (no session required). This is different to the beh…
CVE-2025-46720LOWCVSS 3.1EG 3.1✓ Fixed in 6.5.0
2025-05-05
Keystone is a content management system for Node.js. Prior to version 6.5.0, `{field}.isFilterable` access control can be bypassed in `update` and `delete` mutations by adding additional unique filters. These filters can be used as an orac…
CVE-2026-33326MEDIUMCVSS 4.3EG 4.3✓ Fixed in 6.5.2
2026-03-24
Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected fie…

Check whether @keystone-6/core is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @keystone-6/core CVEs against the assets you own.

Start Free Scan →