@strapi/strapi
npm11 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting @strapi/strapipage 1 of 1
- CVE-2021-46440HIGHCVSS 7.5EG 7.5✓ Fixed in 4.1.52022-05-03
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victi…
- CVE-2022-30617HIGHCVSS 8.8EG 8.8✓ Fixed in 4.0.0-beta.152022-05-19
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content acce…
- CVE-2022-30618HIGHCVSS 7.5EG 7.5✓ Fixed in 4.1.92022-05-19
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API user…
- CVE-2022-31367HIGHCVSS 8.8EG 8.8✓ Fixed in 4.1.102022-09-27
Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.
- CVE-2022-32114HIGHCVSS 8.8EG 4.62022-07-13
An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (…
- CVE-2023-22894MEDIUMCVSS 4.9EG 4.9✓ Fixed in 4.8.02023-04-19
Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from AP…
- CVE-2023-34093MEDIUMCVSS 4.8EG 4.8✓ Fixed in 4.10.82023-07-25
Strapi is an open-source headless content management system. Prior to version 4.10.8, anyone (Strapi developers, users, plugins) can make every attribute of a Content-Type public without knowing it. The vulnerability only affects the handl…
- CVE-2023-39345HIGHCVSS 7.6EG 7.6✓ Fixed in 4.13.12023-11-06
strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user record…
- CVE-2024-37818HIGHCVSS 8.6EG 8.62024-06-20
vulnerable: 4.24.4
Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image. This vulnerability allows attackers to scan for open ports or access sensitive information via a crafted GET request. N…
- CVE-2025-3930MEDIUMCVSS 6.3EG 0.0✓ Fixed in 5.24.12025-10-16
Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is…
- CVE-2026-27886HIGHCVSS 7.5EG 7.5✓ Fixed in 5.37.02026-05-14
Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker cou…
Check whether @strapi/strapi is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @strapi/strapi CVEs against the assets you own.
Start Free Scan →