Browse all 8 CVE security advisories affecting keystonejs. AI-powered Chinese analysis, POCs, and references for each vulnerability.
KeystoneJS is an open-source Node.js CMS and headless framework for building web applications and content management systems. Historically, it has been vulnerable to classes including remote code execution, cross-site scripting, and privilege escalation, with eight CVEs recorded. Security characteristics include its express-based architecture and customizable admin UI. Notable incidents include a 2021 RCE vulnerability (CVE-2021-22883) allowing arbitrary code execution through crafted API requests, and a 2019 XSS flaw (CVE-2019-5429) in the admin panel. The framework requires careful configuration to mitigate risks, particularly around user input handling and access control.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-33326 | @keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany — keystoneCWE-863 | 4.3 | Medium | 2026-03-24 |
| CVE-2025-46720 | Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields — keystoneCWE-203 | 3.1 | Low | 2025-05-05 |
| CVE-2023-40027 | Conditionally missing authorization in @keystone-6/core — keystoneCWE-862 | 3.7 | Low | 2023-08-15 |
| CVE-2023-34247 | @keystone-6/auth Open Redirect vulnerability — keystoneCWE-601 | 6.1 | Medium | 2023-06-13 |
| CVE-2022-39382 | NODE_ENV in Keystone defaults to development with esbuild — keystoneCWE-74 | 9.8 | Critical | 2022-11-03 |
| CVE-2022-39322 | @keystone-6/core vulnerable to field-level access-control bypass for multiselect field — keystoneCWE-285 | 9.1 | Critical | 2022-10-25 |
This page lists every published CVE security advisory associated with keystonejs. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.