VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-81gz-hhd8-aqgg

Essentials
Severities (20)
References (13)
Severity details (19)
Exploits (2)
EPSS
History (1)

Vulnerability ID	VCID-81gz-hhd8-aqgg
Aliases	CVE-2019-18818 GHSA-6xc2-mj39-q599
Summary
Status	Published
Exploitability	2.0
Weighted Severity	9.0
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-640	Weak Password Recovery Mechanism for Forgotten Password
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	9.8	http://packetstormsecurity.com/files/163939/Strapi-3.0.0-beta-Authentication-Bypass.html
generic_textual	CRITICAL	http://packetstormsecurity.com/files/163939/Strapi-3.0.0-beta-Authentication-Bypass.html
cvssv3.1	9.8	http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html
generic_textual	CRITICAL	http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html
cvssv3.1	9.8	http://packetstormsecurity.com/files/165896/Strapi-CMS-3.0.0-beta.17.4-Privilege-Escalation.html
generic_textual	CRITICAL	http://packetstormsecurity.com/files/165896/Strapi-CMS-3.0.0-beta.17.4-Privilege-Escalation.html
epss	0.94045	https://api.first.org/data/v1/epss?cve=CVE-2019-18818
cvssv3.1	9.8	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18818
generic_textual	CRITICAL	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18818
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-6xc2-mj39-q599
cvssv3.1	9.8	https://github.com/strapi/strapi
generic_textual	CRITICAL	https://github.com/strapi/strapi
cvssv3.1	9.8	https://github.com/strapi/strapi/pull/4443
generic_textual	CRITICAL	https://github.com/strapi/strapi/pull/4443
cvssv3.1	9.8	https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5
generic_textual	CRITICAL	https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2019-18818
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2019-18818
cvssv3.1	9.8	https://www.npmjs.com/advisories/1311
generic_textual	CRITICAL	https://www.npmjs.com/advisories/1311

Reference id	Reference type	URL
		http://packetstormsecurity.com/files/163939/Strapi-3.0.0-beta-Authentication-Bypass.html
		http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html
		http://packetstormsecurity.com/files/165896/Strapi-CMS-3.0.0-beta.17.4-Privilege-Escalation.html
		https://api.first.org/data/v1/epss?cve=CVE-2019-18818
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18818
		https://github.com/strapi/strapi
		https://github.com/strapi/strapi/pull/4443
		https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5
		https://www.npmjs.com/advisories/1311
CVE-2019-18818	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/50237.py
CVE-2019-18818	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/50716.rb
CVE-2019-18818		https://nvd.nist.gov/vuln/detail/CVE-2019-18818
GHSA-6xc2-mj39-q599		https://github.com/advisories/GHSA-6xc2-mj39-q599

Data source	Metasploit
Description	This module abuses the mishandling of a password reset request for Strapi CMS version 3.0.0-beta.17.4 to change the password of the admin user. Successfully tested against Strapi CMS version 3.0.0-beta.17.4.
Note	Stability: - crash-safe Reliability: [] SideEffects: - ioc-in-logs
Ransomware campaign use	Unknown
Source publication date	Feb. 9, 2022
Source URL	https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/scanner/http/strapi_3_password_reset.rb

Data source	Exploit-DB
Date added	Feb. 8, 2022
Description	Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)
Ransomware campaign use	Unknown
Source publication date	Feb. 8, 2022
Exploit type	webapps
Platform	nodejs
Source update date	Feb. 8, 2022

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://packetstormsecurity.com/files/163939/Strapi-3.0.0-beta-Authentication-Bypass.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://packetstormsecurity.com/files/165896/Strapi-CMS-3.0.0-beta.17.4-Privilege-Escalation.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18818

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/strapi/strapi

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/strapi/strapi/pull/4443

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-18818

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.npmjs.com/advisories/1311

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.99904
EPSS Score	0.94045
Published At	May 30, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-30T21:55:55.809511+00:00	EPSS Importer	Import	https://epss.cyentia.com/epss_scores-current.csv.gz	38.6.0