Stripe Stripe

  1. Vendors
  2. Stripe

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Stripe product.

RSS Feeds for Stripe security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Stripe products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Stripe Sorted by Most Security Vulnerabilities since 2018

Stripe Smokescreen2 vulnerabilities

Stripe1 vulnerability

Stripe Api1 vulnerability

Stripe Cli1 vulnerability

Stripe Payment Pro1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Stripe. Stripe did not have any published security vulnerabilities last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 0 0.00
2024 1 7.10
2023 1 9.80
2022 2 5.90
2021 1 7.80
2020 0 0.00
2019 1 7.50

It may take a day or so for new Stripe vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Stripe Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2024-45401 Sep 05, 2024
Path Traversal in stripe-cli 1.11.11.21.3 via Malformed Plugin Shortname stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability.
Stripe Cli
CVE-2023-23315 Mar 01, 2023
Blind SQLi in PrestaShop Stripejs Module <=4.5.5 The PrestaShop e-commerce platform module stripejs contains a Blind SQL injection vulnerability up to version 4.5.5. The method `stripejsValidationModuleFrontController::initContent()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
Stripe Payment Pro
CVE-2022-29188 May 21, 2022
Smokescreen is an HTTP proxy Smokescreen is an HTTP proxy. The primary use case for Smokescreen is to prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of applications to connect to or scan internal infrastructure. Smokescreen also offers an option to deny access to additional (e.g., external) URLs by way of a deny list. There was an issue in Smokescreen that made it possible to bypass the deny list feature by surrounding the hostname with square brackets (e.g. `[example.com]`). This only impacted the HTTP proxy functionality of Smokescreen. HTTPS requests were not impacted. Smokescreen version 0.0.4 contains a patch for this issue.
Smokescreen
CVE-2022-24825 Apr 19, 2022
Smokescreen is a simple HTTP proxy that fogs over naughty URLs Smokescreen is a simple HTTP proxy that fogs over naughty URLs. The primary use case for Smokescreen is to prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of applications to connect to or scan internal infrastructure. Smokescreen also offers an option to deny access to additional (e.g., external) URLs by way of a deny list. There was an issue in Smokescreen that made it possible to bypass the deny list feature by appending a dot to the end of user-supplied URLs, or by providing input in a different letter case. Recommended to upgrade Smokescreen to version 0.0.3 or later.
Smokescreen
CVE-2021-21420 Apr 01, 2021
vscode-stripe is an extension for Visual Studio Code vscode-stripe is an extension for Visual Studio Code. A vulnerability in Stripe for Visual Studio Code extension exists when it loads an untrusted source-code repository containing malicious settings. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. The update addresses the vulnerability by modifying the way the extension validates its settings.
Stripe
CVE-2018-19249 Jan 03, 2019
The Stripe API v1 allows remote attackers to bypass intended access restrictions by replaying api.stripe.com /v1/tokens XMLHttpRequest data The Stripe API v1 allows remote attackers to bypass intended access restrictions by replaying api.stripe.com /v1/tokens XMLHttpRequest data, parsing the response under the object card{}, and reading the cvc_check information if the creation is successful without charging the actual card used in the transaction.
Stripe Api
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.