📦 Strapi

CVE-2020-27664 is a server-side request forgery (SSRF) vulnerability in Strapi's admin interface that allows attackers to make unauthorized requests to internal systems. It affects Strapi installation...

This vulnerability in Strapi allows attackers to access private fields like admin passwords and reset tokens by crafting malicious queries with the lookup parameter. It affects Strapi versions 5.0.0 t...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Strapi v4.24.4 that allows attackers to make unauthorized requests from the server to internal systems via the /strapi.io/_next...

This CVE describes an authentication bypass vulnerability in Strapi's users-permissions plugin. By combining an open redirect with session tokens sent as URL parameters, unauthenticated attackers can ...

This vulnerability in Strapi allows malicious users to modify private fields in their user records during registration. It affects all Strapi instances running versions before 4.13.1 where user regist...

This vulnerability allows attackers to bypass rate limiting on Strapi's admin login function, enabling brute force attacks to guess credentials. It affects all Strapi deployments with admin interfaces...

CVE-2023-22621 is a Server-Side Template Injection vulnerability in Strapi that allows authenticated attackers with admin panel access to execute arbitrary code on the server by injecting malicious pa...

An unrestricted file upload vulnerability in Strapi 4.1.12 allows authenticated users with upload permissions to upload PDF files containing JavaScript, which can lead to cross-site scripting (XSS) at...

This vulnerability in Strapi's DOCUMENTATION plugin stores passwords in a recoverable format (base64 encoded in cookies). Attackers who intercept HTTP requests can decode cookies to obtain cleartext p...

This vulnerability in Strapi allows attackers who have obtained a valid session to change a user's password without providing the current password. This enables account takeover attacks where attacker...

Strapi versions before 5.10.3 do not enforce a maximum password length when using bcryptjs for password hashing, causing passwords longer than 72 bytes to be silently truncated. This reduces effective...