📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global phishing Cross-sector HIGH 4h Global data_breach Energy CRITICAL 6h Global phishing Government/Multi-sector HIGH 6h Global apt Education CRITICAL 8h Global vulnerability Enterprise Software / ERP Systems CRITICAL 9h Global vulnerability IT Infrastructure CRITICAL 10h Global vulnerability Technology and Software Development HIGH 11h Global vulnerability Enterprise IT and Government CRITICAL 11h Global ransomware Multiple Sectors / Enterprise CRITICAL 12h Global general Technology and Legal MEDIUM 13h Global phishing Cross-sector HIGH 4h Global data_breach Energy CRITICAL 6h Global phishing Government/Multi-sector HIGH 6h Global apt Education CRITICAL 8h Global vulnerability Enterprise Software / ERP Systems CRITICAL 9h Global vulnerability IT Infrastructure CRITICAL 10h Global vulnerability Technology and Software Development HIGH 11h Global vulnerability Enterprise IT and Government CRITICAL 11h Global ransomware Multiple Sectors / Enterprise CRITICAL 12h Global general Technology and Legal MEDIUM 13h Global phishing Cross-sector HIGH 4h Global data_breach Energy CRITICAL 6h Global phishing Government/Multi-sector HIGH 6h Global apt Education CRITICAL 8h Global vulnerability Enterprise Software / ERP Systems CRITICAL 9h Global vulnerability IT Infrastructure CRITICAL 10h Global vulnerability Technology and Software Development HIGH 11h Global vulnerability Enterprise IT and Government CRITICAL 11h Global ransomware Multiple Sectors / Enterprise CRITICAL 12h Global general Technology and Legal MEDIUM 13h
Vulnerabilities

CVE-2026-22707

Medium
CWE-434 — Weakness Type
Published: May 14, 2026  ·  Modified: May 17, 2026  ·  Source: NVD
CVSS v3
5.4
🔗 NVD Official
📄 Description (English)

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the administrator-configured MIME type restrictions (`plugin.upload.security.allowedTypes` and `deniedTypes`). The same restrictions were correctly enforced on the Admin Panel upload path. The upload plugin's `enforceUploadSecurity` security check was invoked in the admin upload controller but was missing from the Content API controller. The Content API handlers `uploadFiles` and `replaceFile` (and the `upload` wrapper that dispatches to them) called the underlying upload service directly, bypassing both the magic-byte MIME detection and the configured allow/deny lists. An authenticated user with the Content API upload permission could therefore upload file types the administrator had explicitly disallowed, including HTML and SVG content. In deployments serving uploaded files from the same origin as the admin panel (default), an attacker could upload an HTML or SVG file that, when opened directly by an admin, executed JavaScript in the admin origin, enabling admin-session hijack and authenticated administrative actions against the admin API. The patch in version 5.33.3 introduces a shared `prepareUploadRequest` helper that wraps `enforceUploadSecurity` and is called from both the Content API and admin upload controllers, ensuring identical security policy enforcement on every upload entry point.

🤖 AI Executive Summary

Strapi versions prior to 5.33.3 fail to enforce MIME type restrictions on Content API file uploads, allowing authenticated users to bypass administrator-configured upload security policies. This vulnerability enables uploading malicious HTML/SVG files that can execute JavaScript in the admin panel context, potentially leading to admin session hijacking and unauthorized administrative actions. The vulnerability affects deployments serving uploaded files from the same origin as the admin panel, which is the default configuration.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 27, 2026 19:55
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Strapi for content management—particularly in government digital transformation initiatives, banking portals, healthcare information systems, and e-commerce platforms—face significant risk. Government agencies under NCA oversight, SAMA-regulated financial institutions, and healthcare providers under MOH regulations are most vulnerable. The vulnerability enables privilege escalation from authenticated content creators to administrative access, compromising sensitive data and system integrity. Organizations in the Kingdom relying on Strapi for public-facing content management systems are at elevated risk of admin account compromise and subsequent data exfiltration or system manipulation.
🏢 Affected Saudi Sectors
Government (Digital Transformation, NCA-regulated agencies) Banking and Financial Services (SAMA-regulated institutions) Healthcare (MOH-regulated providers) E-commerce and Retail Media and Publishing Education Telecommunications
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:

1. Identify all Strapi instances in your environment running versions prior to 5.33.3

2. Restrict Content API upload permissions to trusted users only; audit existing upload permissions

3. Implement network-level controls to prevent direct access to uploaded files from admin panel origin



PATCHING:

1. Upgrade Strapi to version 5.33.3 or later immediately

2. Test upgrades in non-production environments first

3. Review and re-validate MIME type restrictions (allowedTypes/deniedTypes) after patching



COMPENSATING CONTROLS (if immediate patching not possible):

1. Serve uploaded files from a different origin/subdomain than the admin panel (e.g., cdn.example.com vs admin.example.com)

2. Implement Content Security Policy (CSP) headers to prevent inline script execution

3. Configure web server to serve uploaded files with Content-Disposition: attachment header

4. Disable or restrict Content API upload endpoints if not actively used

5. Implement strict file type validation at the reverse proxy/WAF level



DETECTION:

1. Monitor Content API /upload and /replace endpoints for suspicious file uploads

2. Alert on uploads of .html, .svg, .js, .xml files via Content API

3. Review admin panel access logs for sessions initiated after file uploads

4. Implement file integrity monitoring on upload directories

5. Log and alert on any modifications to plugin.upload.security configuration
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:

1. حدد جميع مثيلات Strapi في بيئتك التي تعمل بإصدارات سابقة للإصدار 5.33.3

2. قيّد أذونات تحميل Content API للمستخدمين الموثوقين فقط؛ قم بتدقيق أذونات التحميل الموجودة

3. تنفيذ عناصر تحكم على مستوى الشبكة لمنع الوصول المباشر إلى الملفات المحملة من أصل لوحة التحكم الإدارية



التصحيح:

1. قم بترقية Strapi إلى الإصدار 5.33.3 أو أحدث على الفور

2. اختبر الترقيات في بيئات غير الإنتاج أولاً

3. راجع وأعد التحقق من قيود نوع MIME (allowedTypes/deniedTypes) بعد التصحيح



عناصر التحكم البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. قدّم الملفات المحملة من أصل مختلف/نطاق فرعي عن لوحة التحكم الإدارية

2. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ البرامج النصية المضمنة

3. قم بتكوين خادم الويب لتقديم الملفات المحملة برأس Content-Disposition: attachment

4. تعطيل أو تقييد نقاط نهاية تحميل Content API إذا لم تكن قيد الاستخدام النشط

5. تنفيذ التحقق من نوع الملف الصارم على مستوى الوكيل العكسي/WAF



الكشف:

1. مراقبة نقاط نهاية Content API /upload و /replace لتحميلات الملفات المريبة

2. تنبيهات على تحميلات ملفات .html و .svg و .js و .xml عبر Content API

3. مراجعة سجلات الوصول إلى لوحة التحكم الإدارية للجلسات المبدوءة بعد تحميلات الملفات

4. تنفيذ مراقبة سلامة الملفات على أدلة التحميل

5. تسجيل والتنبيه على أي تعديلات على إعدادات plugin.upload.security
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control: Unauthorized privilege escalation via admin session hijacking ECC 2024 A.5.2.1 - User Registration and Access Management: Inadequate enforcement of upload restrictions ECC 2024 A.6.1.2 - Asset Management: Uncontrolled file upload and execution ECC 2024 A.12.2.1 - Logging and Monitoring: Insufficient logging of Content API upload activities
🔵 SAMA CSF
SAMA CSF ID.AM-2: Hardware and software assets are inventoried (Strapi version tracking) SAMA CSF PR.AC-1: Access to physical and logical assets is limited (Content API permissions) SAMA CSF PR.PT-2: Removable media is protected and its use restricted (File upload controls) SAMA CSF DE.CM-1: The network is monitored to detect potential cybersecurity events (Upload monitoring)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of duties: Inadequate separation between Content API and Admin upload controls ISO 27001:2022 A.6.2 - User access management: Insufficient enforcement of upload policy restrictions ISO 27001:2022 A.8.3 - Cryptography: File integrity and authenticity not enforced ISO 27001:2022 A.12.4 - Logging and monitoring: Inadequate audit trails for upload activities
🟣 PCI DSS v4.0.1
PCI DSS 1.2.1 - Restrict inbound traffic to defined business need (if processing payments) PCI DSS 6.5.8 - Improper access control (file upload bypass) PCI DSS 10.2 - Implement automated audit trails (upload logging)
📦 Affected Products / CPE 1 entries
strapi:strapi
📊 CVSS Score
5.4
/ 10.0 — Medium
📊 CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack VectorN — None / Network
Attack ComplexityL — Low / Local
Privileges RequiredL — Low / Local
User InteractionN — None / Network
ScopeU — Unchanged
ConfidentialityL — Low / Local
IntegrityL — Low / Local
AvailabilityN — None / Network
📋 Quick Facts
Severity Medium
CVSS Score5.4
CWECWE-434
EPSS0.03%
Exploit No
Patch ✗ No
Published 2026-05-14
Source Feed nvd
🇸🇦 Saudi Risk Score
7.2
/ 10.0 — Saudi Risk
Priority: HIGH
🏷️ Tags
CWE-434
🏢 Vendor Advisories
🔗 https://github.com/strapi/strapi/security/advisories...
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.