Security Disclosure of Vulnerabilities: CVE-2025-64526, CVE-2026-22599, CVE-2026-22706, CVE-2026-22707, and CVE-2026-27886

Strapi has publicly disclosed and patched five significant security vulnerabilities in its software, thanks to contributions from its community and internal security team. These vulnerabilities include a rate limit bypass on authentication routes (CVE-2025-64526), an SQL injection in the Content-Type Builder (CVE-2026-22599), failure to revoke existing refresh sessions upon password resets (CVE-2026-22706), MIME validation bypass in the Upload plugin (CVE-2026-22707), and a sensitive data leak via relational filtering (CVE-2026-27886). To mitigate these issues, users are advised to update their Strapi installations to specific newer versions. The company emphasizes its commitment to responsible disclosure by coordinating with reporting researchers before public announcements and urges the community to report any new vulnerabilities responsibly. Strapi has also highlighted the challenges posed by an increase in AI-assisted vulnerability report submissions, noting that many reports are invalid, which has impacted their triage timelines.