Primary

Context

Strapi Upload Plugin MIME Type Validation Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in the Strapi Upload plugin's Content API endpoints in versions prior to 5.33.3. The issue arises because these endpoints did not properly enforce administrator-defined MIME type restrictions, allowing authenticated users with upload permissions to bypass security measures and upload disallowed file types, such as HTML and SVG. This flaw could lead to serious consequences, including the execution of malicious JavaScript in the admin panel, potentially hijacking admin sessions and facilitating unauthorized actions via the admin API.

Impact

Exploitation of this vulnerability could allow for unauthorized file uploads that bypass MIME type restrictions, leading to the execution of malicious scripts in the context of an admin user.

Remediation

Users are advised to update Strapi to version 5.33.3 or later.

Added: May 14, 2026, 7:42 PM

Updated: May 14, 2026, 7:42 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.6

exploitability

5.2

remediation

7.7

relevance

8.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.6

exploitability

5.2

remediation

7.7

relevance

8.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Strapi Upload Plugin MIME Type Validation Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Strapi

Strapi Upload

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating