CVE-2020-13961
Description
Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email template for both password reset and account confirmation emails.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Strapi before 3.0.2 allows authenticated attackers to bypass security restrictions and modify email templates due to unsanitized global variable storage.
Root
Cause Strapi versions prior to 3.0.2 store email templates in a global variable without proper sanitization [1]. This allows an authenticated remote attacker to bypass security restrictions by sending a specially crafted request to update the email templates used for password reset and account confirmation processes [1][3].
Exploitation
An attacker with remote authenticated access can craft a request that targets the unsanitized global template variable. No special privileges beyond regular authentication are required; the vulnerability lies in the lack of input validation when templates are stored in the global scope [1]. The attack modifies both password reset and account confirmation email templates.
Impact
By altering these email templates, an attacker can inject malicious content into emails sent by the Strapi application. This could lead to phishing attacks, credential theft, or account takeover if users are tricked into following malicious links in the modified emails [1]. The severity is elevated because the attacker can control the content of sensitive transactional emails.
Mitigation
The vulnerability is fixed in Strapi version 3.0.2 [3]. Users should upgrade to this version or later immediately. No workarounds have been documented, and the fix likely involves proper sanitization of template inputs before storing them in the global variable.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
strapinpm | < 3.0.2 | 3.0.2 |
Affected products
2- Strapi/Strapidescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-65wv-528r-m892ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13961ghsaADVISORY
- exchange.xforce.ibmcloud.com/vulnerabilities/183045ghsax_refsource_MISCWEB
- github.com/strapi/strapi/pull/6599ghsax_refsource_CONFIRMWEB
- github.com/strapi/strapi/releases/tag/v3.0.2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.