Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/strapi@3.0.0-alpha.25.2
purl pkg:npm/strapi@3.0.0-alpha.25.2
Next non-vulnerable version 3.2.5
Latest non-vulnerable version 4.10.8
Risk
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-gkb4-ad7n-byd5
Aliases:
CVE-2020-13961
GHSA-65wv-528r-m892
Improper Input Validation Strapi could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email template for both password reset and account confirmation emails.
3.0.2
Affected by 3 other vulnerabilities.
VCID-kzmr-p64p-fycf
Aliases:
CVE-2020-27665
GHSA-4p55-xj37-fx7g
Incorrect Default Permissions In Strapi, there is no `admin::hasPermissions` restriction for CTB (aka content-type-builder) routes.
3.2.5
Affected by 0 other vulnerabilities.
VCID-q6f6-pmnx-eua8
Aliases:
CVE-2019-19609
GHSA-9p2w-rmx4-9mw7
GMS-2020-779
Command Injection in strapi Versions of `strapi` before 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the `/admin/plugins/install/` route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server.
3.0.0-beta.17.8
Affected by 5 other vulnerabilities.
VCID-r9jw-pgw5-guh5
Aliases:
CVE-2020-27664
GHSA-7frv-9phw-vrvr
Improper Input Validation `admin/src/containers/InputModalStepperProvider/index.js` in Strapi has unwanted `/proxy?url=` functionality.
3.2.5
Affected by 0 other vulnerabilities.
VCID-vu2b-re6f-n7fd
Aliases:
CVE-2020-8123
GHSA-23fp-fmrv-f5px
Uncontrolled Resource Consumption A denial of service exists in strapi v3.0.0-beta.18.3 and earlier that can be abused in the admin console using admin rights can lead to arbitrary restart of the application.
3.0.0
Affected by 7 other vulnerabilities.
VCID-yafu-6e7s-y3cw
Aliases:
CVE-2020-27666
GHSA-qvp5-mm7v-4f36
Cross-site Scripting Strapi has stored XSS in the wysiwyg editor's preview feature.
3.2.5
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-04T20:40:16.034062+00:00 GitLab Importer Affected by VCID-r9jw-pgw5-guh5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/strapi/CVE-2020-27664.yml 38.6.0
2026-06-04T20:40:14.805994+00:00 GitLab Importer Affected by VCID-yafu-6e7s-y3cw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/strapi/CVE-2020-27666.yml 38.6.0
2026-06-04T20:40:13.546727+00:00 GitLab Importer Affected by VCID-kzmr-p64p-fycf https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/strapi/CVE-2020-27665.yml 38.6.0
2026-06-04T20:38:10.507904+00:00 GitLab Importer Affected by VCID-q6f6-pmnx-eua8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/strapi/CVE-2019-19609.yml 38.6.0
2026-06-04T20:32:03.461315+00:00 GitLab Importer Affected by VCID-gkb4-ad7n-byd5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/strapi/CVE-2020-13961.yml 38.6.0
2026-06-04T20:26:58.278418+00:00 GitLab Importer Affected by VCID-vu2b-re6f-n7fd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/strapi/CVE-2020-8123.yml 38.6.0