Main Vulnerability Database Vulnerabilities #VU131365

Arbitrary file upload in strapi - CVE-2026-22707

Published: May 13, 2026

Vulnerability identifier: #VU131365

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-22707

CWE-ID: CWE-434

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: strapi.io

Affected software:
strapi

Detailed vulnerability description

The vulnerability allows a remote user to upload dangerous file types and execute script in the admin origin.

The vulnerability exists due to unrestricted upload of file with dangerous type in the Upload plugin Content API endpoints when handling file upload requests. A remote user can upload a crafted HTML or SVG file to upload dangerous file types and execute script in the admin origin.

User interaction is required because an administrator must open the uploaded file directly. The issue affects deployments serving uploaded files from the same origin as the admin panel.

How to mitigate CVE-2026-22707

Install security update from vendor's website.

Sources

https://github.com/strapi/strapi/security/advisories/GHSA-pcw7-5633-82vv

Arbitrary file upload in strapi - CVE-2026-22707

Detailed vulnerability description

How to mitigate CVE-2026-22707

Sources

Please verify you're human