CVE-2026-22707

Name of the Vulnerable Software and Affected Versions @strapi/upload versions prior to 5.33.3

Description In the Upload plugin, Content API endpoints failed to enforce administrator-configured MIME type restrictions defined in plugin.upload.security.allowedTypes and deniedTypes. While these restrictions were active for the Admin Panel, the enforceUploadSecurity security check was missing from the Content API controller. Consequently, the uploadFiles and replaceFile handlers, as well as the upload wrapper, bypassed MIME detection and allow/deny lists.

An authenticated user with Content API upload permissions could upload disallowed file types, such as HTML and SVG. If uploaded files are served from the same origin as the admin panel, an attacker could upload a malicious HTML or SVG file. When opened by an administrator, this file could execute JavaScript within the admin origin, potentially leading to admin-session hijacking and unauthorized administrative actions via the admin API.

Recommendations Update @strapi/upload to version 5.33.3 or later.