Package impact
npm / @strapi/plugin-users-permissions
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-22706 | medium | 6.5 | 6.5 | 20d ago | Strapi: Password Reset Does Not Revoke Existing Refresh Sessions | |||
| CVE-2025-64526 | medium | 5.3 | 5.3 | 20d ago | Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying | |||
| CVE-2024-34065 | unknown | — | — | 2y ago | @strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass | |||
| CVE-2023-39345 | unknown | — | — | 3y ago | Unauthorized Access to Private Fields in User Registration API | |||
| CVE-2023-38507 | unknown | — | — | 3y ago | Strapi Improper Rate Limiting vulnerability | |||
| CVE-2023-22621 | unknown | — | — | 3y ago | Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin | |||
| CVE-2023-22893 | unknown | — | — | 3y ago | Strapi does not verify the access or ID tokens issued during the OAuth flow |