CVE-2022-32114

HIGH

Strapi 4.1.12 - Stored Cross-Site Scripting via PDF Upload in Add New Assets

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-32114. PoCs published by bypazs.

AI-analyzed exploit summary This repository provides a detailed technical explanation of CVE-2022-32114, an unrestricted file upload vulnerability in Strapi v4.1.12. It includes attack vectors, steps to exploit, and references but lacks functional exploit code.

Description

An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be able to upload PDF files containing JavaScript, and that all files in a public assets folder are accessible to the outside world (unless the filename begins with a dot character). The administrator can choose to allow only image, video, and audio files (i.e., not PDF) if desired.

Exploits (1)

nomisec WRITEUP 1 stars
by bypazs · poc
https://github.com/bypazs/CVE-2022-32114

This repository provides a detailed technical explanation of CVE-2022-32114, an unrestricted file upload vulnerability in Strapi v4.1.12. It includes attack vectors, steps to exploit, and references but lacks functional exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Strapi v4.1.12
Auth required
Prerequisites: User credentials with file upload permissions
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 8.8
EPSS 0.0283
EPSS Percentile 86.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (2)
strapi/strapi 4.1.12
strapi/strapi 0npm
Published Jul 13, 2022
Tracked Since Feb 18, 2026