Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/strapi@1.6.4
Typenpm
Namespace
Namestrapi
Version1.6.4
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-acq9-x41j-6bbp
vulnerability_id VCID-acq9-x41j-6bbp
summary 
Weak Password Recovery Mechanism for Forgotten Password
strapi mishandles password resets within `packages/strapi-admin/controllers/Auth.js` and `packages/strapi-plugin-users-permissions/controllers/Auth.js`.
references
0
reference_url http://packetstormsecurity.com/files/163939/Strapi-3.0.0-beta-Authentication-Bypass.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/163939/Strapi-3.0.0-beta-Authentication-Bypass.html
1
reference_url http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html
2
reference_url http://packetstormsecurity.com/files/165896/Strapi-CMS-3.0.0-beta.17.4-Privilege-Escalation.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/165896/Strapi-CMS-3.0.0-beta.17.4-Privilege-Escalation.html
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-18818
reference_id
reference_type
scores
0
value 0.94045
scoring_system epss
scoring_elements 0.99904
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-18818
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18818
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18818
5
reference_url https://github.com/strapi/strapi
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi
6
reference_url https://github.com/strapi/strapi/pull/4443
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/pull/4443
7
reference_url https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5
8
reference_url https://www.npmjs.com/advisories/1311
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1311
9
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/50237.py
reference_id CVE-2019-18818
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/50237.py
10
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/50716.rb
reference_id CVE-2019-18818
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/50716.rb
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-18818
reference_id CVE-2019-18818
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-18818
12
reference_url https://github.com/advisories/GHSA-6xc2-mj39-q599
reference_id GHSA-6xc2-mj39-q599
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6xc2-mj39-q599
fixed_packages
0
url pkg:npm/strapi@2.0.1
purl pkg:npm/strapi@2.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ax22-q11r-7kgc
1
vulnerability VCID-bpbf-fj8g-5ueg
2
vulnerability VCID-g1c3-eb5k-sfgn
3
vulnerability VCID-gkb4-ad7n-byd5
4
vulnerability VCID-kzmr-p64p-fycf
5
vulnerability VCID-q6f6-pmnx-eua8
6
vulnerability VCID-r9jw-pgw5-guh5
7
vulnerability VCID-vu2b-re6f-n7fd
8
vulnerability VCID-yafu-6e7s-y3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/strapi@2.0.1
1
url pkg:npm/strapi@3.0.0-beta.17.5
purl pkg:npm/strapi@3.0.0-beta.17.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ax22-q11r-7kgc
1
vulnerability VCID-bpbf-fj8g-5ueg
2
vulnerability VCID-g1c3-eb5k-sfgn
3
vulnerability VCID-gkb4-ad7n-byd5
4
vulnerability VCID-kzmr-p64p-fycf
5
vulnerability VCID-q6f6-pmnx-eua8
6
vulnerability VCID-r9jw-pgw5-guh5
7
vulnerability VCID-vu2b-re6f-n7fd
8
vulnerability VCID-yafu-6e7s-y3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/strapi@3.0.0-beta.17.5
aliases CVE-2019-18818, GHSA-6xc2-mj39-q599
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-acq9-x41j-6bbp
1
url VCID-ax22-q11r-7kgc
vulnerability_id VCID-ax22-q11r-7kgc
summary 
Weak Password Recovery Mechanism for Forgotten Password
In Strapi, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-28128
reference_id
reference_type
scores
0
value 0.00259
scoring_system epss
scoring_elements 0.49546
published_at 2026-06-05T12:55:00Z
1
value 0.00259
scoring_system epss
scoring_elements 0.49484
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-28128
1
reference_url https://github.com/strapi/strapi
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi
2
reference_url https://github.com/strapi/strapi/issues/9657
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/issues/9657
3
reference_url https://github.com/strapi/strapi/releases/tag/v3.6.0
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/releases/tag/v3.6.0
4
reference_url https://strapi.io/changelog
reference_id
reference_type
scores
url https://strapi.io/changelog
5
reference_url https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-008.txt
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-008.txt
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-28128
reference_id CVE-2021-28128
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-28128
fixed_packages
0
url pkg:npm/strapi@3.6.1
purl pkg:npm/strapi@3.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g1c3-eb5k-sfgn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/strapi@3.6.1
aliases CVE-2021-28128, GHSA-37hx-4mcq-wc3h
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ax22-q11r-7kgc
2
url VCID-bpbf-fj8g-5ueg
vulnerability_id VCID-bpbf-fj8g-5ueg
summary 
Duplicate Advisory: OS Command Injection in Strapi
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-9p2w-rmx4-9mw7. This link is maintained to preserve external references.

### Original Description
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
references
0
reference_url http://packetstormsecurity.com/files/163940/Strapi-3.0.0-beta.17.7-Remote-Code-Execution.html
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/163940/Strapi-3.0.0-beta.17.7-Remote-Code-Execution.html
1
reference_url http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html
2
reference_url https://bittherapy.net/post/strapi-framework-remote-code-execution
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bittherapy.net/post/strapi-framework-remote-code-execution
3
reference_url https://github.com/strapi/strapi
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi
4
reference_url https://github.com/strapi/strapi/pull/4636
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/pull/4636
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-19609
reference_id CVE-2019-19609
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-19609
6
reference_url https://github.com/advisories/GHSA-49vv-6q7q-w5cf
reference_id GHSA-49vv-6q7q-w5cf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-49vv-6q7q-w5cf
fixed_packages
0
url pkg:npm/strapi@3.0.0-beta.17.8
purl pkg:npm/strapi@3.0.0-beta.17.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ax22-q11r-7kgc
1
vulnerability VCID-g1c3-eb5k-sfgn
2
vulnerability VCID-gkb4-ad7n-byd5
3
vulnerability VCID-kzmr-p64p-fycf
4
vulnerability VCID-r9jw-pgw5-guh5
5
vulnerability VCID-vu2b-re6f-n7fd
6
vulnerability VCID-yafu-6e7s-y3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/strapi@3.0.0-beta.17.8
aliases GHSA-49vv-6q7q-w5cf
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bpbf-fj8g-5ueg
3
url VCID-g1c3-eb5k-sfgn
vulnerability_id VCID-g1c3-eb5k-sfgn
summary 
Command injection in strapi
Arbitrary Command Injection in GitHub repository strapi/strapi prior to 4.1.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-0764
reference_id
reference_type
scores
0
value 0.00217
scoring_system epss
scoring_elements 0.44345
published_at 2026-06-05T12:55:00Z
1
value 0.00217
scoring_system epss
scoring_elements 0.44276
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-0764
1
reference_url https://github.com/strapi/strapi
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi
2
reference_url https://github.com/strapi/strapi/blob/master/packages/generators/app/lib/utils/fetch-npm-template.js#L13
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/blob/master/packages/generators/app/lib/utils/fetch-npm-template.js#L13
3
reference_url https://github.com/strapi/strapi/commit/2a3f5e988be6a2c7dae5ac22b9e86d579b462f4c
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/commit/2a3f5e988be6a2c7dae5ac22b9e86d579b462f4c
4
reference_url https://github.com/strapi/strapi/issues/12879
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/issues/12879
5
reference_url https://huntr.dev/bounties/001d1c29-805a-4035-93bb-71a0e81da3e5
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://huntr.dev/bounties/001d1c29-805a-4035-93bb-71a0e81da3e5
6
reference_url https://www.github.com/strapi/strapi/commit/2a3f5e988be6a2c7dae5ac22b9e86d579b462f4c
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.github.com/strapi/strapi/commit/2a3f5e988be6a2c7dae5ac22b9e86d579b462f4c
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-0764
reference_id CVE-2022-0764
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-0764
8
reference_url https://github.com/advisories/GHSA-xrjf-phvv-r4vr
reference_id GHSA-xrjf-phvv-r4vr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xrjf-phvv-r4vr
fixed_packages
0
url pkg:npm/strapi@4.1.0
purl pkg:npm/strapi@4.1.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/strapi@4.1.0
aliases CVE-2022-0764, GHSA-xrjf-phvv-r4vr
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g1c3-eb5k-sfgn
4
url VCID-gkb4-ad7n-byd5
vulnerability_id VCID-gkb4-ad7n-byd5
summary 
Improper Input Validation
Strapi could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email template for both password reset and account confirmation emails.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-13961
reference_id
reference_type
scores
0
value 0.00622
scoring_system epss
scoring_elements 0.70518
published_at 2026-06-05T12:55:00Z
1
value 0.00622
scoring_system epss
scoring_elements 0.70476
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-13961
1
reference_url https://exchange.xforce.ibmcloud.com/vulnerabilities/183045
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://exchange.xforce.ibmcloud.com/vulnerabilities/183045
2
reference_url https://github.com/strapi/strapi
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi
3
reference_url https://github.com/strapi/strapi/pull/6599
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/pull/6599
4
reference_url https://github.com/strapi/strapi/releases/tag/v3.0.2
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/releases/tag/v3.0.2
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-13961
reference_id CVE-2020-13961
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-13961
fixed_packages
0
url pkg:npm/strapi@3.0.2
purl pkg:npm/strapi@3.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ax22-q11r-7kgc
1
vulnerability VCID-g1c3-eb5k-sfgn
2
vulnerability VCID-kzmr-p64p-fycf
3
vulnerability VCID-r9jw-pgw5-guh5
4
vulnerability VCID-yafu-6e7s-y3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/strapi@3.0.2
aliases CVE-2020-13961, GHSA-65wv-528r-m892
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gkb4-ad7n-byd5
5
url VCID-kzmr-p64p-fycf
vulnerability_id VCID-kzmr-p64p-fycf
summary 
Incorrect Default Permissions
In Strapi, there is no `admin::hasPermissions` restriction for CTB (aka content-type-builder) routes.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-27665
reference_id
reference_type
scores
0
value 0.00292
scoring_system epss
scoring_elements 0.52911
published_at 2026-06-05T12:55:00Z
1
value 0.00292
scoring_system epss
scoring_elements 0.52851
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-27665
1
reference_url https://github.com/strapi/strapi/commit/3cdd73987950d5c7976701047b38203e902007bb
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/commit/3cdd73987950d5c7976701047b38203e902007bb
2
reference_url https://github.com/strapi/strapi/pull/8439
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/pull/8439
3
reference_url https://github.com/strapi/strapi/releases/tag/v3.2.5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/releases/tag/v3.2.5
4
reference_url https://snyk.io/vuln/SNYK-JS-STRAPIPLUGINCONTENTTYPEBUILDER-1021616
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-STRAPIPLUGINCONTENTTYPEBUILDER-1021616
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-27665
reference_id CVE-2020-27665
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-27665
6
reference_url https://github.com/advisories/GHSA-4p55-xj37-fx7g
reference_id GHSA-4p55-xj37-fx7g
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4p55-xj37-fx7g
fixed_packages
0
url pkg:npm/strapi@3.2.5
purl pkg:npm/strapi@3.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ax22-q11r-7kgc
1
vulnerability VCID-g1c3-eb5k-sfgn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/strapi@3.2.5
aliases CVE-2020-27665, GHSA-4p55-xj37-fx7g
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kzmr-p64p-fycf
6
url VCID-q6f6-pmnx-eua8
vulnerability_id VCID-q6f6-pmnx-eua8
summary 
Command Injection in strapi
Versions of `strapi` before 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the `/admin/plugins/install/` route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server.
references
0
reference_url http://packetstormsecurity.com/files/163940/Strapi-3.0.0-beta.17.7-Remote-Code-Execution.html
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/163940/Strapi-3.0.0-beta.17.7-Remote-Code-Execution.html
1
reference_url http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-19609
reference_id
reference_type
scores
0
value 0.81127
scoring_system epss
scoring_elements 0.9918
published_at 2026-06-04T12:55:00Z
1
value 0.81127
scoring_system epss
scoring_elements 0.99181
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-19609
3
reference_url https://bittherapy.net/post/strapi-framework-remote-code-execution
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bittherapy.net/post/strapi-framework-remote-code-execution
4
reference_url https://github.com/strapi/strapi
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi
5
reference_url https://github.com/strapi/strapi/pull/4636
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/pull/4636
6
reference_url https://www.npmjs.com/advisories/1424
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1424
7
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/50238.py
reference_id CVE-2019-19609
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/50238.py
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-19609
reference_id CVE-2019-19609
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-19609
9
reference_url https://github.com/advisories/GHSA-9p2w-rmx4-9mw7
reference_id GHSA-9p2w-rmx4-9mw7
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9p2w-rmx4-9mw7
fixed_packages
0
url pkg:npm/strapi@3.0.0-beta.17.8
purl pkg:npm/strapi@3.0.0-beta.17.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ax22-q11r-7kgc
1
vulnerability VCID-g1c3-eb5k-sfgn
2
vulnerability VCID-gkb4-ad7n-byd5
3
vulnerability VCID-kzmr-p64p-fycf
4
vulnerability VCID-r9jw-pgw5-guh5
5
vulnerability VCID-vu2b-re6f-n7fd
6
vulnerability VCID-yafu-6e7s-y3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/strapi@3.0.0-beta.17.8
aliases CVE-2019-19609, GHSA-9p2w-rmx4-9mw7, GMS-2020-779
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q6f6-pmnx-eua8
7
url VCID-r9jw-pgw5-guh5
vulnerability_id VCID-r9jw-pgw5-guh5
summary 
Improper Input Validation
`admin/src/containers/InputModalStepperProvider/index.js` in Strapi has unwanted `/proxy?url=` functionality.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-27664
reference_id
reference_type
scores
0
value 0.01344
scoring_system epss
scoring_elements 0.80375
published_at 2026-06-04T12:55:00Z
1
value 0.01344
scoring_system epss
scoring_elements 0.804
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-27664
1
reference_url https://github.com/strapi/strapi/pull/8442
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/pull/8442
2
reference_url https://github.com/strapi/strapi/releases/tag/v3.2.5
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/releases/tag/v3.2.5
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-27664
reference_id CVE-2020-27664
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-27664
fixed_packages
0
url pkg:npm/strapi@3.2.5
purl pkg:npm/strapi@3.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ax22-q11r-7kgc
1
vulnerability VCID-g1c3-eb5k-sfgn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/strapi@3.2.5
aliases CVE-2020-27664, GHSA-7frv-9phw-vrvr
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-r9jw-pgw5-guh5
8
url VCID-vu2b-re6f-n7fd
vulnerability_id VCID-vu2b-re6f-n7fd
summary 
Uncontrolled Resource Consumption
A denial of service exists in strapi v3.0.0-beta.18.3 and earlier that can be abused in the admin console using admin rights can lead to arbitrary restart of the application.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8123
reference_id
reference_type
scores
0
value 0.00601
scoring_system epss
scoring_elements 0.69894
published_at 2026-06-05T12:55:00Z
1
value 0.00601
scoring_system epss
scoring_elements 0.69854
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8123
1
reference_url https://github.com/strapi/strapi
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi
2
reference_url https://github.com/strapi/strapi/commit/c0c191c08f05fe10d7a6b1bf9475c1a651a89362
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/commit/c0c191c08f05fe10d7a6b1bf9475c1a651a89362
3
reference_url https://hackerone.com/reports/768574
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/768574
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8123
reference_id CVE-2020-8123
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8123
5
reference_url https://github.com/advisories/GHSA-23fp-fmrv-f5px
reference_id GHSA-23fp-fmrv-f5px
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-23fp-fmrv-f5px
fixed_packages
0
url pkg:npm/strapi@3.0.0
purl pkg:npm/strapi@3.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-17bb-9xte-jbeg
1
vulnerability VCID-1j5t-31jf-aucc
2
vulnerability VCID-1nkk-pvsd-x7dn
3
vulnerability VCID-5n69-472h-rbcn
4
vulnerability VCID-acq9-x41j-6bbp
5
vulnerability VCID-ax22-q11r-7kgc
6
vulnerability VCID-g1c3-eb5k-sfgn
7
vulnerability VCID-gkb4-ad7n-byd5
8
vulnerability VCID-kzmr-p64p-fycf
9
vulnerability VCID-r9jw-pgw5-guh5
10
vulnerability VCID-yafu-6e7s-y3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/strapi@3.0.0
aliases CVE-2020-8123, GHSA-23fp-fmrv-f5px
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vu2b-re6f-n7fd
9
url VCID-yafu-6e7s-y3cw
vulnerability_id VCID-yafu-6e7s-y3cw
summary 
Cross-site Scripting
Strapi has stored XSS in the wysiwyg editor's preview feature.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-27666
reference_id
reference_type
scores
0
value 0.00281
scoring_system epss
scoring_elements 0.5175
published_at 2026-06-04T12:55:00Z
1
value 0.00281
scoring_system epss
scoring_elements 0.51809
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-27666
1
reference_url https://github.com/strapi/strapi/pull/8440
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/pull/8440
2
reference_url https://github.com/strapi/strapi/releases/tag/v3.2.5
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/strapi/strapi/releases/tag/v3.2.5
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-27666
reference_id CVE-2020-27666
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-27666
4
reference_url https://github.com/advisories/GHSA-qvp5-mm7v-4f36
reference_id GHSA-qvp5-mm7v-4f36
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qvp5-mm7v-4f36
fixed_packages
0
url pkg:npm/strapi@3.2.5
purl pkg:npm/strapi@3.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ax22-q11r-7kgc
1
vulnerability VCID-g1c3-eb5k-sfgn
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/strapi@3.2.5
aliases CVE-2020-27666, GHSA-qvp5-mm7v-4f36
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yafu-6e7s-y3cw
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/strapi@1.6.4