Strapi

Strapi versions prior to 5.37.0 are vulnerable to an unauthenticated boolean-oracle attack against private fields on the joined `admin_users` table, including the `resetPasswordToken` field, via the 'where' query parameter on publicly accessible content-types; extracting an admin reset token via this oracle makes full administrative account takeover possible without authentication.

A SQL injection vulnerability, identified as CVE-2026-22599, affects Strapi's Content-Type Builder, where an authenticated administrator could inject arbitrary database statements through the `column.defaultTo` attribute, potentially leading to arbitrary file read, denial of service, or remote code execution on the database server.

A threat actor published 36 malicious NPM packages disguised as Strapi plugins in a supply chain attack, designed to execute code, escape containers, harvest credentials, and establish persistent implants on Linux systems targeting Strapi users, with specific focus on the Guardarian cryptocurrency payment gateway.