SB2026051393 - Multiple vulnerabilities in strapi

Description

This security bulletin contains information about 2 vulnerabilities.

1) Arbitrary file upload (CVE-ID: CVE-2026-22707)

The vulnerability allows a remote user to upload dangerous file types and execute script in the admin origin.

The vulnerability exists due to unrestricted upload of file with dangerous type in the Upload plugin Content API endpoints when handling file upload requests. A remote user can upload a crafted HTML or SVG file to upload dangerous file types and execute script in the admin origin.

User interaction is required because an administrator must open the uploaded file directly. The issue affects deployments serving uploaded files from the same origin as the admin panel.

2) Insufficient Session Expiration (CVE-ID: CVE-2026-22706)

The vulnerability allows a remote user to maintain unauthorized access after a password reset.

The vulnerability exists due to improper session expiration in the users-permissions and admin authentication controllers when handling password change or reset requests without a deviceId. A remote privileged user can use a previously obtained refresh token to maintain unauthorized access after a password reset.

Existing refresh-token sessions remain active if the password change or reset request does not include a deviceId.

Remediation

Install update from vendor's website.

References

• https://github.com/strapi/strapi/security/advisories/GHSA-pcw7-5633-82vv
• https://github.com/strapi/strapi/security/advisories/GHSA-hvp3-26wx-g2w4