Search for packages
| purl | pkg:npm/%40strapi/admin@4.3.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3rtq-tkck-w3gf
Aliases: CVE-2024-52588 GHSA-v8wj-f5c7-pvxf |
Strapi is an open-source content management system. Prior to version 4.25.2, inputting a local domain into the Webhooks URL field leads to the application fetching itself, resulting in a server side request forgery (SSRF). This issue has been patched in version 4.25.2. |
Affected by 1 other vulnerability. |
|
VCID-8s8s-y1ed-qkc5
Aliases: CVE-2023-36472 GHSA-v8gg-4mq2-88q4 |
Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure that they can't be selected. This issue is fixed in version 4.11.7. |
Affected by 3 other vulnerabilities. |
|
VCID-kvea-g79j-kyge
Aliases: CVE-2023-38507 GHSA-24q2-59hm-rh9r |
Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue. |
Affected by 2 other vulnerabilities. |
|
VCID-th7e-fn9a-6ygf
Aliases: CVE-2026-22706 GHSA-hvp3-26wx-g2w4 |
Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication controllers was conditional on a caller-supplied `deviceId`. When a password change or reset request did not include a `deviceId`, no refresh tokens were revoked, leaving every prior session active. An attacker who had previously obtained a refresh token could continue minting new access tokens after the legitimate user reset their password, allowing persistent unauthorized access for the lifetime of the refresh token (up to 30 days by default). Rotating credentials no longer terminated an active attacker session, defeating password reset as a containment measure. The patch in version 5.33.3 invalidates all refresh tokens associated with the user on every password change and password reset, regardless of whether a `deviceId` is supplied. A new device-scoped session is then issued to the caller as part of the response. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T22:30:10.807097+00:00 | GitLab Importer | Affected by | VCID-th7e-fn9a-6ygf | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@strapi/admin/CVE-2026-22706.yml | 38.6.0 |
| 2026-06-12T20:02:30.687317+00:00 | GitLab Importer | Affected by | VCID-3rtq-tkck-w3gf | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@strapi/admin/CVE-2024-52588.yml | 38.6.0 |
| 2026-06-12T19:05:39.846080+00:00 | GitLab Importer | Affected by | VCID-kvea-g79j-kyge | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@strapi/admin/CVE-2023-38507.yml | 38.6.0 |
| 2026-06-12T19:05:27.474928+00:00 | GitLab Importer | Affected by | VCID-8s8s-y1ed-qkc5 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@strapi/admin/CVE-2023-36472.yml | 38.6.0 |