Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

8 advisories

Loading
Authentication Bypass in @strapi/plugin-users-permissions High
GHSA-xv3q-jrmm-4fxv was published for @strapi/plugin-users-permissions (npm) Apr 18, 2023
derrickmehaffy Credited to derrickmehaffy, Ccamm, and Convly Ccamm Ccamm
Convly Convly
Leaking sensitive user information still possible by filtering on private with prefix fields High
CVE-2023-34235 was published for @strapi/database (npm) Jul 25, 2023
Boegie19 Credited to Boegie19, derrickmehaffy, innerdvations, Marc-Roig, and Bassel17 derrickmehaffy derrickmehaffy
innerdvations innerdvations Marc-Roig Marc-Roig Bassel17 Bassel17
Unauthorized Access to Private Fields in User Registration API High
CVE-2023-39345 was published for @strapi/plugin-users-permissions (npm) Nov 3, 2023
dogusdeniz Credited to dogusdeniz, innerdvations, derrickmehaffy, and christiancp100 innerdvations innerdvations
derrickmehaffy derrickmehaffy christiancp100 christiancp100
Strapi leaking sensitive user information by filtering on private fields High
CVE-2023-22894 was published for @strapi/strapi (npm) Apr 19, 2023
derrickmehaffy Credited to derrickmehaffy, Ccamm, Convly, and Marc-Roig Ccamm Ccamm
Convly Convly Marc-Roig Marc-Roig
Strapi Improper Rate Limiting vulnerability High
CVE-2023-38507 was published for @strapi/admin (npm) Sep 13, 2023
scgajge12 Credited to scgajge12, derrickmehaffy, innerdvations, and alexandrebodin derrickmehaffy derrickmehaffy
innerdvations innerdvations alexandrebodin alexandrebodin
@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass High
CVE-2024-34065 was published for @strapi/plugin-users-permissions (npm) Jun 12, 2024
Eventyret Credited to Eventyret, iarce-qb, derrickmehaffy, Convly, innerdvations, and alexandrebodin iarce-qb iarce-qb
derrickmehaffy derrickmehaffy Convly Convly innerdvations innerdvations alexandrebodin alexandrebodin
Strapi Allows Unauthorized Access to Private Fields via parms.lookup High
CVE-2024-56143 was published for @strapi/core (npm) Oct 16, 2025
Boegie19 Credited to Boegie19, alexandrebodin, and derrickmehaffy alexandrebodin alexandrebodin
derrickmehaffy derrickmehaffy
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration High
CVE-2025-53092 was published for @strapi/core (npm) Oct 16, 2025
ghostvirus62 Credited to ghostvirus62, derrickmehaffy, alexandrebodin, and innerdvations derrickmehaffy derrickmehaffy
alexandrebodin alexandrebodin innerdvations innerdvations
ProTip! Advisories are also available from the GraphQL API