Strapi

v5.47.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 16h Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

api cms cms-framework content-management content-management-system customizable

+12 more

web graphql headless-cms jamstack javascript mysql no-code nodejs posgresql rest strapi typescript

ReleasePort's take

Moderate signal

editorial:auto 15h

The v5.47.1 release resolves a critical ReDoS vulnerability in the ajv library by enforcing version 8.18.0.

Why it matters: All deployments using ajv for JSON schema validation must upgrade to version 8.18.0 immediately due to the high-severity (severity 90) ReDoS risk.

Summary

AI summary

Updates ❤️ Thank You, 🔥 Bug fix, and ⚙️ Chore across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Resolves ajv ReDoS vulnerability by forcing [email protected] Resolves ajv ReDoS vulnerability by forcing [email protected] Source: llm_adapter@2026-06-03 Confidence: high	—
Dependency	Low	Upgrades koa-session to version 7.0.2 Upgrades koa-session to version 7.0.2 Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix
Bugfix	Medium	deleteMany now respects filters combined with relation queries deleteMany now respects filters combined with relation queries Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Improves i18n plugin translations for better localization Improves i18n plugin translations for better localization Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Fixes homepage performance issue on large document‑and‑publish tables Fixes homepage performance issue on large document‑and‑publish tables Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Prevents crash in content‑manager repeatable field .map() when relation is missing Prevents crash in content‑manager repeatable field .map() when relation is missing Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Shows documentId(s) for relation fields when entry title is a numeric field in content‑manager Shows documentId(s) for relation fields when entry title is a numeric field in content‑manager Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Fixes frontend validation in content‑manager when "draft and publish" mode is disabled Fixes frontend validation in content‑manager when "draft and publish" mode is disabled Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Skips session secret check for API‑only Strapi applications Skips session secret check for API‑only Strapi applications Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Preserves core store during data‑transfer when the config stage is excluded Preserves core store during data‑transfer when the config stage is excluded Source: llm_adapter@2026-06-03 Confidence: high	—

Full changelog

5.47.1 (2026-06-03)

🔥 Bug fix

deleteMany respects filters combined with relation (#25420)
improve i18n plugin translations (#22714)
resolve ajv ReDoS vulnerability by forcing [email protected] (#26141)
admin: use ISO 639-1 da for Danish admin locale (#26322)
content-manager: documentId(s) shown for relation when entry title set to numeric field (#25622)
content-manager: guard repeatable field .map() crash on relation… (#26421)
content-manager: fix frontend validation if not using "draft and publish" (#25300)
core: skip session secret check for API-only apps (#26390)
data-transfer: preserve core store when config stage is excluded (#26484)
deps: upgrade koa-session to v7.0.2 (#26140)
homepage: homepage count-documents slow on large D&P tables (#26370)
i18n: preserve non-localized field inheritance (#26367)
strapi: preserve tsbuildinfo across develop restarts (#26264)
upgrade: simplify registry URL resolution (#25027)

📚 Documentation Changes

security: overhaul vulnerability reporting policy (#26393)

⚙️ Chore

admin: remove punycode dependency (#26189)
deps: bump axios from 1.16.0 to 1.16.1 (#26456)
deps: bump express-rate-limit from 8.2.1 to 8.5.2 (#26457)
deps: bump @hono/node-server from 1.19.9 to 1.19.14 (#26458)
deps: bump qs from 6.15.0 to 6.15.2 (#26417)
deps: bump @babel/plugin-transform-modules-systemjs from 7.25.9 to 7.29.4 (#26256)
deps: bump hono from 4.11.9 to 4.12.23 (#26455)
deps: bump @tootallnate/once from 2.0.0 to 2.0.1 (#26218)
docs: migrate docusaurus config to typescript (#26471)
mcp: clarify registration lifecycle and simplify error messages (#26517)
upload: remove aiMetadataJobsCleanup cron job (#26442)

💅 Enhancement

core: lazy-load node-schedule and umzug at boot (#26267)
core: eliminate @strapi/typescript-utils from boot path (#26270)
core/core: lazy-load typescript-utils in Strapi and compile (#26266)
strapi: hash-cache peer-dep check; demote env-vars log to debug (#26269)
strapi: lazy-require worker-only deps in dev primary (#26268)

❤️ Thank You

Andrei L @unrevised6419
Aurélien GEORGET
Ben Irvin @innerdvations
DMehaffy @derrickmehaffy
Jamie Howard @jhoward1994
Jayesh Patel @itsmejay80
Jonas Thelemann
José Luis @SalahAdDin
markkaylor @markkaylor
mehmet turac @mturac
Michael Olund
Nico André @nclsndr
Paul Bratslavsky @PaulBratslavsky
pksr @pksr
Subh aush singh
Vishal Kumar Singh @singhvishalkr
Weijie Sun @swjcpy

Security Fixes

Resolve ajv ReDoS vulnerability by forcing [email protected]

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Strapi

Get notified when new releases ship.

About Strapi

The most advanced open-source Content Management Framework (headless-CMS) to build powerful API with no effort.