Advisories for Npm/@Strapi/Admin package

CVE: CVE-2026-22706 CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N (2.1 — Low) Affected Versions: @strapi/admin and @strapi/plugin-users-permissions <=5.33.2 How to Patch: Immediately update your Strapi to >=5.33.3

In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as localhost, 127.0.0.1, 0.0.0.0,…. in order to make the Application fetching into the internal itself, which causes the vulnerability Server - Side Request Forgery (SSRF).

Attackers can get access to user reset password tokens if they have the configure view permissions.

1. Summary There is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. 2. Details It is possible to avoid this by modifying the rate-limited request path as follows. Manipulating request paths to upper or lower case. (Pattern 1) In this case, avoidance is possible with various patterns. Add path slashes to the end of the request path. (Pattern 2) 3. …