Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40strapi/admin@4.15.5-alpha.0
Typenpm
Namespace@strapi
Nameadmin
Version4.15.5-alpha.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version5.33.3
Latest_non_vulnerable_version5.33.3
Affected_by_vulnerabilities
0
url VCID-3rtq-tkck-w3gf
vulnerability_id VCID-3rtq-tkck-w3gf
summary Strapi is an open-source content management system. Prior to version 4.25.2, inputting a local domain into the Webhooks URL field leads to the application fetching itself, resulting in a server side request forgery (SSRF). This issue has been patched in version 4.25.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-52588
reference_id
reference_type
scores
0
value 0.00321
scoring_system epss
scoring_elements 0.55636
published_at 2026-06-12T12:55:00Z
1
value 0.00321
scoring_system epss
scoring_elements 0.55638
published_at 2026-06-14T12:55:00Z
2
value 0.00321
scoring_system epss
scoring_elements 0.55516
published_at 2026-06-11T12:55:00Z
3
value 0.00321
scoring_system epss
scoring_elements 0.5565
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-52588
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-52588
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-52588
2
reference_url https://github.com/advisories/GHSA-v8wj-f5c7-pvxf
reference_id GHSA-v8wj-f5c7-pvxf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v8wj-f5c7-pvxf
3
reference_url https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf
reference_id GHSA-v8wj-f5c7-pvxf
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:44:22Z/
url https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf
fixed_packages
0
url pkg:npm/%40strapi/admin@4.25.2
purl pkg:npm/%40strapi/admin@4.25.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-th7e-fn9a-6ygf
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/admin@4.25.2
aliases CVE-2024-52588, GHSA-v8wj-f5c7-pvxf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3rtq-tkck-w3gf
1
url VCID-th7e-fn9a-6ygf
vulnerability_id VCID-th7e-fn9a-6ygf
summary Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication controllers was conditional on a caller-supplied `deviceId`. When a password change or reset request did not include a `deviceId`, no refresh tokens were revoked, leaving every prior session active. An attacker who had previously obtained a refresh token could continue minting new access tokens after the legitimate user reset their password, allowing persistent unauthorized access for the lifetime of the refresh token (up to 30 days by default). Rotating credentials no longer terminated an active attacker session, defeating password reset as a containment measure. The patch in version 5.33.3 invalidates all refresh tokens associated with the user on every password change and password reset, regardless of whether a `deviceId` is supplied. A new device-scoped session is then issued to the caller as part of the response.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-22706
reference_id
reference_type
scores
0
value 0.00063
scoring_system epss
scoring_elements 0.19887
published_at 2026-06-12T12:55:00Z
1
value 0.00063
scoring_system epss
scoring_elements 0.19878
published_at 2026-06-14T12:55:00Z
2
value 0.00063
scoring_system epss
scoring_elements 0.19712
published_at 2026-06-11T12:55:00Z
3
value 0.00063
scoring_system epss
scoring_elements 0.19903
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-22706
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22706
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-22706
2
reference_url https://github.com/advisories/GHSA-hvp3-26wx-g2w4
reference_id GHSA-hvp3-26wx-g2w4
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hvp3-26wx-g2w4
3
reference_url https://github.com/strapi/strapi/security/advisories/GHSA-hvp3-26wx-g2w4
reference_id GHSA-hvp3-26wx-g2w4
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-15T14:50:52Z/
url https://github.com/strapi/strapi/security/advisories/GHSA-hvp3-26wx-g2w4
fixed_packages
0
url pkg:npm/%40strapi/admin@5.33.3
purl pkg:npm/%40strapi/admin@5.33.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/admin@5.33.3
aliases CVE-2026-22706, GHSA-hvp3-26wx-g2w4
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-th7e-fn9a-6ygf
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/admin@4.15.5-alpha.0