VYPR
Medium severity5.4GHSA Advisory· Published May 14, 2026· Updated May 16, 2026

CVE-2026-22707

CVE-2026-22707

Description

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the administrator-configured MIME type restrictions (plugin.upload.security.allowedTypes and deniedTypes). The same restrictions were correctly enforced on the Admin Panel upload path. The upload plugin's enforceUploadSecurity security check was invoked in the admin upload controller but was missing from the Content API controller. The Content API handlers uploadFiles and replaceFile (and the upload wrapper that dispatches to them) called the underlying upload service directly, bypassing both the magic-byte MIME detection and the configured allow/deny lists. An authenticated user with the Content API upload permission could therefore upload file types the administrator had explicitly disallowed, including HTML and SVG content. In deployments serving uploaded files from the same origin as the admin panel (default), an attacker could upload an HTML or SVG file that, when opened directly by an admin, executed JavaScript in the admin origin, enabling admin-session hijack and authenticated administrative actions against the admin API. The patch in version 5.33.3 introduces a shared prepareUploadRequest helper that wraps enforceUploadSecurity and is called from both the Content API and admin upload controllers, ensuring identical security policy enforcement on every upload entry point.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@strapi/uploadnpm
< 5.33.35.33.3

Affected products

2
  • Strapi/StrapiGHSA2 versions
    <= 5.33.2+ 1 more
    • (no CPE)range: <= 5.33.2
    • cpe:2.3:a:strapi:strapi:*:*:*:*:*:node.js:*:*range: <5.33.3

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.