Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

strapi — Vulnerabilities & Security Advisories 18

Browse all 18 CVE security advisories affecting strapi. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Strapi serves as a headless CMS enabling content management through APIs, commonly used for decoupled web applications. Historically, it has faced vulnerabilities across multiple classes, including remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation and access control flaws. With 18 CVEs recorded, notable issues have involved insecure default configurations and insufficient authentication mechanisms. While no major public security incidents have been widely documented, the consistent discovery of vulnerabilities underscores the importance of proper hardening and regular updates for implementations handling sensitive data.

Top products by strapi: Strapi strapi/strapi
CVE IDTitleCVSSSeverityPublished
CVE-2025-53092 Strapi core vulnerable to sensitive data exposure via CORS misconfiguration — strapiCWE-200 6.5 Medium2025-10-16
CVE-2025-25298 Missing Maximum Password Length Validation in Strapi Password Hashing — strapiCWE-261 8.2AIHighAI2025-10-16
CVE-2024-56143 Strapi Allows Unauthorized Access to Private Fields via parms.lookup — strapiCWE-639 8.2 High2025-10-16
CVE-2025-3930 Lack of JWT Expiration after Log Out in Strapi — StrapiCWE-613 9.1AICriticalAI2025-10-16
CVE-2024-52588 Strapi allows Server-Side Request Forgery in Webhook function — strapiCWE-918 4.9 Medium2025-05-29
CVE-2024-34065 @strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass — strapiCWE-294 7.1 High2024-06-12
CVE-2024-31217 @strapi/plugin-upload has a Denial-of-Service via Improper Exception Handling — strapiCWE-248 5.3 Medium2024-06-12
CVE-2024-29181 @strapi/plugin-content-manager leaks data via relations via the Admin Panel — strapiCWE-639 2.3 Low2024-06-12
CVE-2023-39345 Unauthorized Access to Private Fields in User Registration API in strapi — strapiCWE-287 7.6 High2023-11-06
CVE-2023-38507 Strapi Improper Rate Limiting vulnerability — strapiCWE-770 7.3 High2023-09-15
CVE-2023-37263 Strapi's field level permissions not being respected in relationship title — strapiCWE-200 6.8 Medium2023-09-15
CVE-2023-36472 Strapi may leak sensitive user information, user reset password, tokens via content-manager views — strapiCWE-200 5.8 Medium2023-09-15
CVE-2023-34235 Leaking sensitive user information still possible by filtering on private with prefix fields — strapiCWE-200 8.6 High2023-07-25
CVE-2023-34093 Strapi allows actors to make all attributes on a content-type public without noticing it — strapiCWE-200 4.8 Medium2023-07-25
CVE-2022-29894 Strapi 跨站脚本漏洞 — Strapi 4.8 -2022-06-13
CVE-2022-30618 Strapi 安全漏洞 — StrapiCWE-212 7.5 -2022-05-19
CVE-2022-30617 Strapi 安全漏洞 — StrapiCWE-212 8.8 -2022-05-19
CVE-2022-0764 Arbitrary Command Injection in strapi/strapi — strapi/strapiCWE-78 6.7 -2022-02-26

This page lists every published CVE security advisory associated with strapi. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.