CVE Tools

keystonejs

Web & CMS Pluginsoss-project

3

Cumulative CVEs

1

Monthly snapshots

#116

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting keystonejs.

CVE-2026-10802keystonejs keystone GraphQL API Endpoint output-field.ts resource consumption4.3Jun 4, 2026
CVE-2026-33326@keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany4.3Mar 24, 2026
CVE-2025-46720Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields3.1May 5, 2025
CVE-2023-40027Conditionally missing authorization in @keystone-6/core3.7Aug 15, 2023
CVE-2023-34247@keystone-6/auth Open Redirect vulnerability6.1Jun 13, 2023
CVE-2022-39382NODE_ENV in Keystone defaults to development with esbuild9.8Nov 3, 2022
CVE-2022-39322@keystone-6/core vulnerable to field-level access-control bypass for multiselect field9.1Oct 25, 2022
CVE-2022-29354An arbitrary file upload vulnerability in the file upload module of Keystone v4.2.1 allows attackers to execute arbitrary code via a crafted file.9.8May 16, 2022
CVE-2022-0087Cross-site Scripting (XSS) - Reflected in keystonejs/keystone6.1Jan 11, 2022
CVE-2021-32624Private Field data leak7.5May 24, 2021
CVE-2015-9240Due to a bug in the the default sign in functionality in the keystone node module before 0.3.16, incomplete email addresses could be matched. A correct password is still required to complete sign in.7.5May 29, 2018
CVE-2017-16570KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issue number SL7_KEYJS_03. In other words, it fails to reject requests ...8.8Nov 6, 2017
CVE-2017-15881Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" ...4.8Oct 24, 2017
CVE-2017-15879CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in ...8.8Oct 24, 2017
CVE-2017-15878A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via the Contact Us feature.6.1Oct 24, 2017