@strapi/strapi (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package @strapi/strapi, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (11)
CVE-2022-30617 — CVSS 8.8 (high): An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens…
CVE-2022-31367 — CVSS 8.8 (high): Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.
CVE-2022-32114 — CVSS 8.8 (high): An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a…
CVE-2024-37818 — CVSS 8.6 (high): Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image. This vulnerability…
CVE-2023-39345 — CVSS 7.6 (high): strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the…
CVE-2021-46440 — CVSS 7.5 (high): Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an…
CVE-2022-30618 — CVSS 7.5 (high): An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens…
CVE-2026-27886 — CVSS 7.5 (high): Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently…
CVE-2025-3930: Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an…
CVE-2023-22894 — CVSS 4.9 (medium): Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter…
CVE-2023-34093 — CVSS 4.8 (medium): Strapi is an open-source headless content management system. Prior to version 4.10.8, anyone (Strapi developers, users, plugins) can make…