npm package
@strapi/admin
pkg:npm/%40strapi/admin
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-22706 | Med | 6.5 | < 5.33.3 | 5.33.3 | May 14, 2026 | Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admi | |
| CVE-2024-52588 | — | < 4.25.2 | 4.25.2 | May 29, 2025 | Strapi is an open-source content management system. Prior to version 4.25.2, inputting a local domain into the Webhooks URL field leads to the application fetching itself, resulting in a server side request forgery (SSRF). This issue has been patched in version 4.25.2. | ||
| CVE-2023-38507 | — | < 4.12.1 | 4.12.1 | Sep 15, 2023 | Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increa | ||
| CVE-2023-36472 | — | < 4.11.7 | 4.11.7 | Sep 15, 2023 | Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure th |
- affected < 5.33.3fixed 5.33.3
Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admi
- CVE-2024-52588May 29, 2025affected < 4.25.2fixed 4.25.2
Strapi is an open-source content management system. Prior to version 4.25.2, inputting a local domain into the Webhooks URL field leads to the application fetching itself, resulting in a server side request forgery (SSRF). This issue has been patched in version 4.25.2.
- CVE-2023-38507Sep 15, 2023affected < 4.12.1fixed 4.12.1
Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increa
- CVE-2023-36472Sep 15, 2023affected < 4.11.7fixed 4.11.7
Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure th