The vulnerability stems from the Upload plugin’s Content API missing the security check that enforces administrator‑configured MIME type restrictions. Because the `enforceUploadSecurity` routine was only called by the Admin Panel controller, the Content API upload handlers invoked the upload service directly, bypassing magic‑byte detection and the allowed/denied type lists. An authenticated user with Content API upload permission could therefore upload any file type, including HTML and SVG. If such files are stored in the default location served from the same origin as the admin panel, an administrator who opens the file can execute JavaScript in the admin context, which can hijack the admin session or carry out authenticated administrative actions against the admin API.

This flaw affects installations of Strapi, specifically the @strapi/upload plugin and the core strapi package, in all versions released before 5.33.3. Administrators that have enabled the upload feature and configured MIME type restrictions with `plugin.upload.security.allowedTypes` and `deniedTypes` are vulnerable.

The CVSS score is 5.3, indicating a medium impact, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. Attack requires an authenticated user with Content API upload permission; the attacker can upload an HTML or SVG file, and the real damage occurs when an administrator accesses the file, leading to XSS and potential session hijack. The deployment must serve uploads from the same origin, which is the default configuration, to realize the full exploitation path.