@strapi/plugin-users-permissions (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package @strapi/plugin-users-permissions, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (7)
CVE-2023-39345 — CVSS 7.6 (high): strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the…
CVE-2023-22893 — CVSS 7.5 (high): Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for…
CVE-2023-38507 — CVSS 7.3 (high): Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of…
CVE-2023-22621 — CVSS 7.2 (high): Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the…
CVE-2024-34065 — CVSS 7.1 (high): Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL…
CVE-2026-22706 — CVSS 6.5 (medium): Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password…
CVE-2025-64526 — CVSS 5.3 (medium): Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the…