OsVault/npm/strapi

npm3 critical

strapi

72 known vulnerabilities · 3 critical · 12 high

CVE-2022-27263CRITICAL

Unrestricted Upload of File with Dangerous Type in Strapi

Published Apr 13, 2022

CVE-2022-31367HIGH

Strapi mishandles hidden attributes within admin API responses

Published Sep 28, 2022

CVE-2022-30618HIGH

Improper Removal of Sensitive Information Before Storage or Transfer in Strapi

Published May 20, 2022

CVE-2020-13961MEDIUM

Improper Input Validation in strapi

Published May 24, 2022

GHSA-9p2w-rmx4-9mw7

Command Injection in strapi

Published Sep 4, 2020

CVE-2019-19609HIGH

Duplicate Advisory: OS Command Injection in Strapi

Published Dec 10, 2021

CVE-2021-46440HIGH

Insecure password handling vulnerability in Strapi

Published May 4, 2022

CVE-2020-27664CRITICAL

Authorization bypass in Strapi

Published May 10, 2021

CVE-2022-29894MEDIUM

Cross-site Scripting in Strapi

Published Jun 14, 2022

CVE-2022-30617HIGH

Improper Removal of Sensitive Information Before Storage or Transfer in Strapi

Published May 20, 2022

CVE-2021-28128HIGH

Weak Password Recovery Mechanism for Forgotten Password in Strapi

Published Oct 6, 2021

CVE-2019-18818CRITICAL

Strapi allows unauthenticated attacker to reset admin password without valid reset token

Published Dec 2, 2019

CVE-2022-0764MEDIUM

Command injection in strapi

Published Feb 27, 2022

GHSA-7mqx-wwh4-f9fw

Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

Published May 13, 2026

GHSA-hvp3-26wx-g2w4

Strapi: Password Reset Does Not Revoke Existing Refresh Sessions

Published May 13, 2026

CVE-2023-38507HIGH

Strapi Improper Rate Limiting vulnerability

Published Sep 13, 2023

GHSA-pcw7-5633-82vv

Strapi Upload Plugin MIME Validation Bypass via Content API

Published May 14, 2026

CVE-2024-31217MEDIUM

@strapi/plugin-upload has a Denial-of-Service via Improper Exception Handling

Published Jun 12, 2024

CVE-2024-29181LOW

@strapi/plugin-content-manager leaks data via relations via the Admin Panel

Published Jun 12, 2024

CVE-2020-27666MEDIUM

Cross-site Scripting in Strapi

Published Oct 29, 2020

CVE-2023-22621HIGH

Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin

Published Apr 19, 2023

MAL-2022-6322

Malicious code in strapi-provider-upload-aws-s3-auth (npm)

Published Jun 20, 2022

CVE-2023-37263MEDIUM

Strapi's field level permissions not being respected in relationship title

Published Sep 13, 2023

CVE-2020-27665HIGH

Improper Authorization in Strapi

Published Oct 29, 2020

MAL-2026-2451

Malicious code in strapi-plugin-api (npm)

Published Apr 3, 2026

MAL-2026-2452

Malicious code in strapi-plugin-blurhash (npm)

Published Apr 3, 2026

MAL-2026-2479

Malicious code in strapi-plugin-nordica-tools (npm)

Published Apr 3, 2026

MAL-2026-2462

Malicious code in strapi-plugin-form (npm)

Published Apr 3, 2026

MAL-2026-2484

Malicious code in strapi-plugin-sitemap-gen (npm)

Published Apr 3, 2026

MAL-2026-2454

Malicious code in strapi-plugin-config (npm)

Published Apr 3, 2026

MAL-2026-2455

Malicious code in strapi-plugin-content-sync (npm)

Published Apr 3, 2026

GHSA-3xcq-8mjw-h6mx

Strapi Vulnerable to SQL Injection in Content Type Builder

Published May 13, 2026

MAL-2026-1492

Malicious code in strapi-plugin-workspace-plugin (npm)

Published Mar 17, 2026

MAL-2026-2457

Malicious code in strapi-plugin-cron (npm)

Published Apr 3, 2026

MAL-2026-2458

Malicious code in strapi-plugin-database (npm)

Published Apr 3, 2026

MAL-2026-2463

Malicious code in strapi-plugin-guardarian-ext (npm)

Published Apr 3, 2026

CVE-2024-37818HIGH

Strapi Server-Side Request Forgery (SSRF)

Published Jun 20, 2024

CVE-2025-53092

Strapi core vulnerable to sensitive data exposure via CORS misconfiguration

Published Oct 16, 2025

CVE-2023-22893HIGH

Strapi does not verify the access or ID tokens issued during the OAuth flow

Published Apr 19, 2023

CVE-2023-22894MEDIUM

Strapi leaking sensitive user information by filtering on private fields

Published Apr 19, 2023

MAL-2026-2469

Malicious code in strapi-plugin-logger (npm)

Published Apr 3, 2026

CVE-2024-34065HIGH

@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass

Published Jun 12, 2024

MAL-2026-2453

Malicious code in strapi-plugin-cms-tools (npm)

Published Apr 3, 2026

MAL-2026-2456

Malicious code in strapi-plugin-core (npm)

Published Apr 3, 2026

MAL-2026-2468

Malicious code in strapi-plugin-locale (npm)

Published Apr 3, 2026

MAL-2026-2470

Malicious code in strapi-plugin-monitor (npm)

Published Apr 3, 2026

MAL-2026-2467

Malicious code in strapi-plugin-hooks (npm)

Published Apr 3, 2026

MAL-2026-2450

Malicious code in strapi-plugin-advanced-uuid (npm)

Published Apr 3, 2026

MAL-2026-2464

Malicious code in strapi-plugin-health (npm)

Published Apr 3, 2026

MAL-2026-2465

Malicious code in strapi-plugin-health-check (npm)

Published Apr 3, 2026

MAL-2026-2472

Malicious code in strapi-plugin-nordica-api (npm)

Published Apr 3, 2026

MAL-2026-2473

Malicious code in strapi-plugin-nordica-cms (npm)

Published Apr 3, 2026

MAL-2026-2474

Malicious code in strapi-plugin-nordica-deep (npm)

Published Apr 3, 2026

MAL-2026-2475

Malicious code in strapi-plugin-nordica-lite (npm)

Published Apr 3, 2026

MAL-2026-2476

Malicious code in strapi-plugin-nordica-recon (npm)

Published Apr 3, 2026

MAL-2026-2477

Malicious code in strapi-plugin-nordica-stage (npm)

Published Apr 3, 2026

MAL-2026-2480

Malicious code in strapi-plugin-nordica-vhost (npm)

Published Apr 3, 2026

MAL-2026-2481

Malicious code in strapi-plugin-notify (npm)

Published Apr 3, 2026

MAL-2026-2482

Malicious code in strapi-plugin-seed (npm)

Published Apr 3, 2026

MAL-2026-2504

Malicious code in strapi-plugin-cache (npm)

Published Apr 7, 2026

GHSA-rjg2-95x7-8qmx

Strapi may leak sensitive data via relational filtering due to lack of query sanitization

Published May 14, 2026

MAL-2026-2466

Malicious code in strapi-plugin-hextest (npm)

Published Apr 3, 2026

CVE-2025-25298

Strapi Password Hashing is Missing Maximum Password Length Validation

Published Oct 16, 2025

MAL-2026-2478

Malicious code in strapi-plugin-nordica-sync (npm)

Published Apr 3, 2026

CVE-2023-36472MEDIUM

Strapi may leak sensitive user information, user reset password, tokens via content-manager views

Published Sep 13, 2023

MAL-2026-2471

Malicious code in strapi-plugin-nordica (npm)

Published Apr 3, 2026

MAL-2026-2485

Malicious code in strapi-plugin-sync (npm)

Published Apr 3, 2026

MAL-2026-2459

Malicious code in strapi-plugin-debug-tools (npm)

Published Apr 3, 2026

MAL-2026-2460

Malicious code in strapi-plugin-events (npm)

Published Apr 3, 2026

MAL-2026-2461

Malicious code in strapi-plugin-finseven (npm)

Published Apr 3, 2026

CVE-2023-48218MEDIUM

Bypass of field access control in strapi-plugin-protected-populate

Published Nov 20, 2023

MAL-2026-2483

Malicious code in strapi-plugin-server (npm)

Published Apr 3, 2026

Check your entire dependency tree at onceRun dependency scan →