Path Traversal in Strapi
CVE-2026-27886
Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker cou…
Vulnerability class: Path Traversal (Directory Traversal)
EPSS: 0.001 (17.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
Affected products
- Strapi — versions >= 4.0.0, < 5.37.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security-advisories@github.com (x_refsource_CONFIRM, Vendor Advisory)
Frequently asked questions
- What is CVE-2026-27886?
- CVE-2026-27886 is a high-severity vulnerability in Strapi, classified under Path Traversal. CVSS score: 7.5/10. Published 2026-05-14.
- How severe is CVE-2026-27886?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2026-27886 known to be exploited?
- 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.