Keystonejs Keystone
11 CVEs affecting Keystonejs Keystone. Latest disclosed: 2026-06-04. Critical: 2, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2022-39382 | Critical | 9.8 | 2022-11-03 | Keystone is a headless CMS for Node.js — built with GraphQL and React.`@keystone-6/core@3.0.0 || 3.0.1` users that use `NODE_ENV` to trigger security-sensitive… |
CVE-2022-39322 | Critical | 9.1 | 2022-10-25 | @keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who e… |
CVE-2017-16570 | High | 8.8 | 2017-11-06 | KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issue number SL7_KEYJS_03. In oth… |
CVE-2017-15879 | High | 8.8 | 2017-10-24 | CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-bet… |
CVE-2023-34247 | Medium | 6.1 | 2023-06-13 | Keystone is a content management system for Node.JS. There is an open redirect in the `@keystone-6/auth` package versions 7.0.0 and prior, where the redirect l… |
CVE-2017-15878 | Medium | 6.1 | 2017-10-24 | A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via the Contact Us feature. |
CVE-2017-15881 | Medium | 4.8 | 2017-10-24 | Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the… |
CVE-2026-10802 | Medium | 4.3 | 2026-06-04 | A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/o… |
CVE-2026-33326 | Medium | 4.3 | 2026-03-24 | Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed in findMany queries by passing… |
CVE-2023-40027 | Low | 3.7 | 2023-08-15 | Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When `ui.isAccessAllowed` is set as `undefined`, the `adminMeta` GraphQL qu… |
CVE-2025-46720 | Low | 3.1 | 2025-05-05 | Keystone is a content management system for Node.js. Prior to version 6.5.0, `{field}.isFilterable` access control can be bypassed in `update` and `delete` mut… |