{"url":"http://public2.vulnerablecode.io/api/packages/580356?format=json","purl":"pkg:npm/%40strapi/strapi@4.0.0-beta.1","type":"npm","namespace":"@strapi","name":"strapi","version":"4.0.0-beta.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.24.1","latest_non_vulnerable_version":"5.37.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/111023?format=json","vulnerability_id":"VCID-17bb-9xte-jbeg","summary":"Improper Removal of Sensitive Information Before Storage or Transfer in Strapi\nAn authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For example, a low-privileged “author” role account can view these details in the JSON response for an “editor” or “super admin” that has updated one of the author’s blog posts. There are also many other scenarios where such details from other users can leak in the JSON response, either through a direct or indirect relationship. Access to this information enables a user to compromise other users’ accounts by successfully invoking the password reset workflow. In a worst-case scenario, a low-privileged user could get access to a “super admin” account with full control over the Strapi instance, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-30617","reference_id":"","reference_type":"","scores":[{"value":"0.00647","scoring_system":"epss","scoring_elements":"0.71201","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00647","scoring_system":"epss","scoring_elements":"0.71159","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00647","scoring_system":"epss","scoring_elements":"0.71202","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00647","scoring_system":"epss","scoring_elements":"0.71208","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00647","scoring_system":"epss","scoring_elements":"0.71191","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00647","scoring_system":"epss","scoring_elements":"0.71176","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-30617"},{"reference_url":"https://github.com/strapi/strapi","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-30617","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-30617"},{"reference_url":"https://www.synopsys.com/blogs/software-security/cyrc-advisory-strapi","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.synopsys.com/blogs/software-security/cyrc-advisory-strapi"},{"reference_url":"https://github.com/advisories/GHSA-f6fm-r26q-p747","reference_id":"GHSA-f6fm-r26q-p747","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f6fm-r26q-p747"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/150784?format=json","purl":"pkg:npm/%40strapi/strapi@4.0.0-beta.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j5t-31jf-aucc"},{"vulnerability":"VCID-36sg-ztn3-mug1"},{"vulnerability":"VCID-5bpn-j31w-k7gb"},{"vulnerability":"VCID-6tkp-v5jw-dke9"},{"vulnerability":"VCID-apu8-13ex-gqhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/strapi@4.0.0-beta.15"}],"aliases":["CVE-2022-30617","GHSA-f6fm-r26q-p747"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-17bb-9xte-jbeg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/111440?format=json","vulnerability_id":"VCID-1j5t-31jf-aucc","summary":"Improper Removal of Sensitive Information Before Storage or Transfer in Strapi\nAn authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are many scenarios in which such details from API users can leak in the JSON response within the admin panel, either through a direct or indirect relationship. Access to this information enables a user to compromise these users’ accounts if the password reset API endpoints have been enabled. In a worst-case scenario, a low-privileged user could get access to a high-privileged API account, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-30618","reference_id":"","reference_type":"","scores":[{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.6047","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60431","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60479","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60482","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60471","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00391","scoring_system":"epss","scoring_elements":"0.60454","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-30618"},{"reference_url":"https://github.com/strapi/strapi","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-30618","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-30618"},{"reference_url":"https://www.synopsys.com/blogs/software-security/cyrc-advisory-strapi","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.synopsys.com/blogs/software-security/cyrc-advisory-strapi"},{"reference_url":"https://github.com/advisories/GHSA-vgj7-895j-gpr6","reference_id":"GHSA-vgj7-895j-gpr6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vgj7-895j-gpr6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/152633?format=json","purl":"pkg:npm/%40strapi/strapi@4.1.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-36sg-ztn3-mug1"},{"vulnerability":"VCID-5bpn-j31w-k7gb"},{"vulnerability":"VCID-6tkp-v5jw-dke9"},{"vulnerability":"VCID-apu8-13ex-gqhx"},{"vulnerability":"VCID-dxss-at1b-vkaq"},{"vulnerability":"VCID-jpqv-dukr-fyhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/strapi@4.1.9"}],"aliases":["CVE-2022-30618","GHSA-vgj7-895j-gpr6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1j5t-31jf-aucc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48051?format=json","vulnerability_id":"VCID-36sg-ztn3-mug1","summary":"Strapi is vulnerable to Insufficient Session Expiration\nStrapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed). The existence of /admin/renew-token endpoint allows anyone to renew near-expiration tokens indefinitely, further increasing the impact of this attack. This issue has been fixed in version 5.24.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3930","reference_id":"","reference_type":"","scores":[{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20354","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20296","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20287","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20404","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20393","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3930"},{"reference_url":"https://github.com/strapi/strapi","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-16T13:37:13Z/"}],"url":"https://github.com/strapi/strapi"},{"reference_url":"https://strapi.io","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://strapi.io"},{"reference_url":"https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve-October-2025","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-16T13:37:13Z/"}],"url":"https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve-October-2025"},{"reference_url":"https://cert.pl/en/posts/2025/06/CVE-2025-3930","reference_id":"CVE-2025-3930","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-16T13:37:13Z/"}],"url":"https://cert.pl/en/posts/2025/06/CVE-2025-3930"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3930","reference_id":"CVE-2025-3930","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3930"},{"reference_url":"https://github.com/advisories/GHSA-4r8w-3jww-m2rp","reference_id":"GHSA-4r8w-3jww-m2rp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4r8w-3jww-m2rp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70968?format=json","purl":"pkg:npm/%40strapi/strapi@5.24.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/strapi@5.24.1"}],"aliases":["CVE-2025-3930","GHSA-4r8w-3jww-m2rp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-36sg-ztn3-mug1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45715?format=json","vulnerability_id":"VCID-5bpn-j31w-k7gb","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nStrapi is an open-source headless content management system. Prior to version 4.10.8, anyone (Strapi developers, users, plugins) can make every attribute of a Content-Type public without knowing it. The vulnerability only affects the handling of content types by Strapi, not the actual content types themselves. Users can use plugins or modify their own content types without realizing that the `privateAttributes` getter is being removed, which can result in any attribute becoming public. This can lead to sensitive information being exposed or the entire system being taken control of by an attacker(having access to password hashes). Anyone can be impacted, depending on how people are using/extending content-types. If the users are mutating the content-type, they will not be affected. Version 4.10.8 contains a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34093","reference_id":"","reference_type":"","scores":[{"value":"0.00101","scoring_system":"epss","scoring_elements":"0.2744","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00101","scoring_system":"epss","scoring_elements":"0.27397","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00101","scoring_system":"epss","scoring_elements":"0.2739","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00101","scoring_system":"epss","scoring_elements":"0.27479","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00101","scoring_system":"epss","scoring_elements":"0.2753","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34093"},{"reference_url":"https://github.com/strapi/strapi","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi"},{"reference_url":"https://github.com/strapi/strapi/commit/2fa8f30371bfd1db44c15e5747860ee5789096de","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-03T20:03:21Z/"}],"url":"https://github.com/strapi/strapi/commit/2fa8f30371bfd1db44c15e5747860ee5789096de"},{"reference_url":"https://github.com/strapi/strapi/releases/tag/v4.10.8","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-03T20:03:21Z/"}],"url":"https://github.com/strapi/strapi/releases/tag/v4.10.8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34093","reference_id":"CVE-2023-34093","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34093"},{"reference_url":"https://github.com/advisories/GHSA-chmr-rg2f-9jmf","reference_id":"GHSA-chmr-rg2f-9jmf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-chmr-rg2f-9jmf"},{"reference_url":"https://github.com/strapi/strapi/security/advisories/GHSA-chmr-rg2f-9jmf","reference_id":"GHSA-chmr-rg2f-9jmf","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-03T20:03:21Z/"}],"url":"https://github.com/strapi/strapi/security/advisories/GHSA-chmr-rg2f-9jmf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66257?format=json","purl":"pkg:npm/%40strapi/strapi@4.10.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-36sg-ztn3-mug1"},{"vulnerability":"VCID-jpqv-dukr-fyhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/strapi@4.10.8"}],"aliases":["CVE-2023-34093","GHSA-chmr-rg2f-9jmf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5bpn-j31w-k7gb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44979?format=json","vulnerability_id":"VCID-6tkp-v5jw-dke9","summary":"Cleartext Storage of Sensitive Information\nStrapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22894","reference_id":"","reference_type":"","scores":[{"value":"0.17914","scoring_system":"epss","scoring_elements":"0.9528","published_at":"2026-06-08T12:55:00Z"},{"value":"0.17914","scoring_system":"epss","scoring_elements":"0.95277","published_at":"2026-06-06T12:55:00Z"},{"value":"0.17914","scoring_system":"epss","scoring_elements":"0.95275","published_at":"2026-06-05T12:55:00Z"},{"value":"0.17914","scoring_system":"epss","scoring_elements":"0.95284","published_at":"2026-06-09T12:55:00Z"},{"value":"0.17914","scoring_system":"epss","scoring_elements":"0.95268","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22894"},{"reference_url":"https://github.com/strapi/strapi","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi"},{"reference_url":"https://github.com/strapi/strapi/releases","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-05T16:37:12Z/"}],"url":"https://github.com/strapi/strapi/releases"},{"reference_url":"https://github.com/strapi/strapi/releases/tag/v4.8.0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi/releases/tag/v4.8.0"},{"reference_url":"https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-05T16:37:12Z/"}],"url":"https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve"},{"reference_url":"https://www.ghostccamm.com/blog/multi_strapi_vulns","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.ghostccamm.com/blog/multi_strapi_vulns"},{"reference_url":"https://www.ghostccamm.com/blog/multi_strapi_vulns/","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-05T16:37:12Z/"}],"url":"https://www.ghostccamm.com/blog/multi_strapi_vulns/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22894","reference_id":"CVE-2023-22894","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22894"},{"reference_url":"https://github.com/advisories/GHSA-jjqf-j4w7-92w8","reference_id":"GHSA-jjqf-j4w7-92w8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jjqf-j4w7-92w8"},{"reference_url":"https://github.com/strapi/strapi/security/advisories/GHSA-jjqf-j4w7-92w8","reference_id":"GHSA-jjqf-j4w7-92w8","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi/security/advisories/GHSA-jjqf-j4w7-92w8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64820?format=json","purl":"pkg:npm/%40strapi/strapi@4.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-36sg-ztn3-mug1"},{"vulnerability":"VCID-5bpn-j31w-k7gb"},{"vulnerability":"VCID-jpqv-dukr-fyhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/strapi@4.8.0"}],"aliases":["CVE-2023-22894","GHSA-jjqf-j4w7-92w8"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6tkp-v5jw-dke9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110490?format=json","vulnerability_id":"VCID-apu8-13ex-gqhx","summary":"Strapi 4.1.12 Cross-site Scripting via crafted file\nAn unrestricted file upload vulnerability in the Add New Assets function of Strapi v4.1.12 allows attackers to execute arbitrary code via a crafted file. After an authenticated attacker uploads a file containing a malicious URL, a victim copies and pastes the malicious URL into a new tab to receive the XSS payload.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-32114","reference_id":"","reference_type":"","scores":[{"value":"0.02831","scoring_system":"epss","scoring_elements":"0.86471","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02831","scoring_system":"epss","scoring_elements":"0.86473","published_at":"2026-06-09T12:55:00Z"},{"value":"0.02831","scoring_system":"epss","scoring_elements":"0.86459","published_at":"2026-06-08T12:55:00Z"},{"value":"0.02831","scoring_system":"epss","scoring_elements":"0.86452","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02831","scoring_system":"epss","scoring_elements":"0.86475","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02831","scoring_system":"epss","scoring_elements":"0.86476","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-32114"},{"reference_url":"https://docs.strapi.io/dev-docs/configurations/public-assets","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.strapi.io/dev-docs/configurations/public-assets"},{"reference_url":"https://docs.strapi.io/user-docs/users-roles-permissions/configuring-administrator-roles","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.strapi.io/user-docs/users-roles-permissions/configuring-administrator-roles"},{"reference_url":"https://github.com/bypazs/strapi","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bypazs/strapi"},{"reference_url":"https://github.com/strapi/strapi","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi"},{"reference_url":"https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/content-type-builder/admin/src/components/AllowedTypesSelect/index.js#L14","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/content-type-builder/admin/src/components/AllowedTypesSelect/index.js#L14"},{"reference_url":"https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/upload/admin/src/components/MediaLibraryInput/index.js#L33","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/upload/admin/src/components/MediaLibraryInput/index.js#L33"},{"reference_url":"https://grimthereaperteam.medium.com/strapi-v4-1-12-unrestricted-file-upload-b993bfd07e4e","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://grimthereaperteam.medium.com/strapi-v4-1-12-unrestricted-file-upload-b993bfd07e4e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-32114","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-32114"},{"reference_url":"https://github.com/advisories/GHSA-4vm8-j95f-j6v5","reference_id":"GHSA-4vm8-j95f-j6v5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4vm8-j95f-j6v5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/596882?format=json","purl":"pkg:npm/%40strapi/strapi@4.2.0-alpha.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-36sg-ztn3-mug1"},{"vulnerability":"VCID-5bpn-j31w-k7gb"},{"vulnerability":"VCID-6tkp-v5jw-dke9"},{"vulnerability":"VCID-jpqv-dukr-fyhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/strapi@4.2.0-alpha.0"}],"aliases":["CVE-2022-32114","GHSA-4vm8-j95f-j6v5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-apu8-13ex-gqhx"}],"fixing_vulnerabilities":[],"risk_score":"4.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/strapi@4.0.0-beta.1"}