Home/Product/strapi
Product

strapi

39 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-27886
>= 4.0.0 and < 5.37.0
Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not suffici
7.5HIGH
 CVE-2026-22707
< 5.33.3
Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API e
5.4MEDIUM
 CVE-2026-22706
< 5.33.3
Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's pa
6.5MEDIUM
 CVE-2026-22599
>= 4.0.0 and < 4.26.1
Strapi is an open source headless content management system. In versions on the 4.x branch prior to 4.26.1 and on the 5.x branch p
7.2HIGH
 CVE-2025-64526
< 5.45.0
Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the
5.3MEDIUM
 CVE-2025-53092
< 5.20.0
Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulne
6.5MEDIUM
 CVE-2025-25298
< 5.10.3
Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length w
5.3MEDIUM
 CVE-2024-56143
>= 5.0.0 and < 5.5.2
Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided
8.2HIGH
 CVE-2024-52588
< 4.25.2
Strapi is an open-source content management system. Prior to version 4.25.2, inputting a local domain into the Webhooks URL field
4.9MEDIUM
 CVE-2024-37818
all versions
Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image. This vulne
8.6HIGH
 CVE-2024-34065
< 4.24.2
Strapi is an open-source content management system. By combining two vulnerabilities (an Open Redirect and `session token sent a
7.1HIGH
 CVE-2024-31217
< 4.22.0
Strapi is an open-source content management system. Prior to version 4.22.0, a denial-of-service vulnerability is present in the m
5.3MEDIUM
 CVE-2024-29181
< 4.19.1
Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item i
2.3LOW
 CVE-2023-48218
< 1.3.4
The Strapi Protected Populate Plugin protects get endpoints from revealing too much information. Prior to version 1.3.4, users w
5.3MEDIUM
 CVE-2023-39345
>= 4.0.0 and < 4.13.1
strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as privat
7.6HIGH
 CVE-2023-38507
< 4.12.1
Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login funct
7.3HIGH
 CVE-2023-37263
< 4.12.1
Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respecte
6.8MEDIUM
 CVE-2023-36472
< 4.11.7
Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user
5.8MEDIUM
 CVE-2023-34235
< 4.10.8
Strapi is an open-source headless content management system. Prior to version 4.10.8, it is possible to leak private fields if one
8.6HIGH
 CVE-2023-34093
< 4.10.8
Strapi is an open-source headless content management system. Prior to version 4.10.8, anyone (Strapi developers, users, plugins) c
4.8MEDIUM
 CVE-2023-22894
>= 3.2.1 and < 4.8.0
Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query
4.9MEDIUM
 CVE-2023-22893
>= 3.0.0 and < 4.6.0
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is u
7.5HIGH
 CVE-2023-22621
>= 3.0.0 and < 4.5.6
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on
7.2HIGH
 CVE-2022-31367
< 3.6.10
Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.
8.8HIGH
 CVE-2022-32114
all versions
An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks
8.8HIGH
 CVE-2022-29894
<= 3.6.10
Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this
4.8MEDIUM
 CVE-2022-30618
>= 3.0.0 and < 3.6.10
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset
7.5HIGH
 CVE-2022-30617
>= 3.0.0 and < 3.6.10
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset
8.8HIGH
 CVE-2021-46440
< 3.6.9
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows
7.5HIGH
 CVE-2022-27263
all versions
An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a
9.8CRITICAL
 CVE-2022-0764
< 4.1.0
Arbitrary Command Injection in GitHub repository strapi/strapi prior to 4.1.0.
6.7MEDIUM
 CVE-2021-28128
<= 3.6.0
In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attac
8.1HIGH
 CVE-2020-27666
< 3.2.5
Strapi before 3.2.5 has stored XSS in the wysiwyg editor's preview feature.
5.4MEDIUM
 CVE-2020-27665
< 3.2.5
In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB (aka content-type-builder) routes.
7.5HIGH
 CVE-2020-27664
< 3.2.5
admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality.
9.8CRITICAL
 CVE-2020-13961
< 3.0.2
Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a
6.5MEDIUM
 CVE-2020-8123
< 3.0.0
A denial of service exists in strapi v3.0.0-beta.18.3 and earlier that can be abused in the admin console using admin rights can l
4.9MEDIUM
 CVE-2019-19609
<= 1.6.4
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components
7.2HIGH
 CVE-2019-18818
<= 1.6.4
strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plug
9.8CRITICAL
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin