Skip to content
Threat Feed
Subscribe

Vendor

Strapi

3 briefs RSS
high advisory

Multiple Vulnerabilities in Strapi

Multiple vulnerabilities in Strapi could allow an attacker to cause a denial-of-service condition, gain administrator privileges, manipulate data, disclose confidential information, or bypass security measures.

Strapi vulnerability denial-of-service privilege-escalation data-manipulation information-disclosure
3r 4t
medium advisory

Strapi Unauthenticated Account Takeover via Relational Filtering Vulnerability (CVE-2026-27886)

Strapi versions prior to 5.37.0 are vulnerable to an unauthenticated boolean-oracle attack against private fields on the joined `admin_users` table, including the `resetPasswordToken` field, via the 'where' query parameter on publicly accessible content-types; extracting an admin reset token via this oracle makes full administrative account takeover possible without authentication.

@strapi/strapi cve strapi account takeover vulnerability
2r 1t
critical advisory

Strapi Content-Type Builder SQL Injection Vulnerability (CVE-2026-22599)

A SQL injection vulnerability, identified as CVE-2026-22599, affects Strapi's Content-Type Builder, where an authenticated administrator could inject arbitrary database statements through the `column.defaultTo` attribute, potentially leading to arbitrary file read, denial of service, or remote code execution on the database server.

@strapi/content-type-builder +1 sql-injection vulnerability strapi
2r 1t