Command Injection in strapi
High severity
GitHub Reviewed
Published
Sep 4, 2020
to the GitHub Advisory Database
•
Updated Dec 29, 2025
Description
Reviewed
Aug 31, 2020
Published to the GitHub Advisory Database
Sep 4, 2020
Last updated
Dec 29, 2025
Versions of
strapibefore 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the/admin/plugins/install/route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server.Recommendation
Upgrade to version 3.0.0-beta.17.8 or later
References