CVE-2026-35569
published 2026-04-15CVE-2026-35569: ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related…
PriorityP344high8.7CVSS 3.1
AVNACLPRLUIRSCCHIHAN
EPSS
0.30%
21.4th percentile
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including tags, attributes, and JSON-LD structured data. An attacker can inject a payload such as ">alert(1) to break out of the intended HTML context and execute arbitrary JavaScript in the browser of any authenticated user who views the affected page. This can be leveraged to perform authenticated API requests, access sensitive data such as usernames, email addresses, and roles via internal APIs, and exfiltrate it to an attacker-controlled server. This issue has been fixed in version 4.29.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apostrophecms | apostrophe | < 4.29.0 | 4.29.0 |
| apostrophecms | apostrophe | >= 0 < 4.29.0 | 4.29.0 |
| apostrophecms | apostrophecms | < 4.29.0 | 4.29.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
apostrophe up to 4.28.x Meta Description cross site scripting (GHSA-855c-r2vq-c292)
vuldb·2026-04-16·CVSS 8.7
CVE-2026-35569 [HIGH] apostrophe up to 4.28.x Meta Description cross site scripting (GHSA-855c-r2vq-c292)
A vulnerability, which was classified as problematic, has been found in apostrophe up to 4.28.x. Affected by this vulnerability is an unknown functionality of the component Meta Description Handler. This manipulation causes cross site scripting.
This vulnerability is handled as CVE-2026-35569. The attack can be initiated remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
GHSA
Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS
ghsa·2026-04-16
CVE-2026-35569 [HIGH] CWE-116 Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS
Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS
## Summary
A stored cross-site scripting (XSS) vulnerability exists in SEO-related fields (SEO Title and Meta Description) in ApostropheCMS.
Improper neutralization of user-controlled input in SEO-related fields allows injection of arbitrary JavaScript into HTML contexts, resulting in stored cross-site scripting (XSS). This can be leveraged to perform authenticated API requests and exfiltrate sensitive data, resulting in a compromise of application confidentiality.
## Affected Version
ApostropheCMS (tested on version: v4.28.0)
## Vulnerability Details
User-controlled input in SEO fields is improperly handled and rendered into HTML contexts such as:
- ``
- `` attributes
- structured data (JSON-LD)
This
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-15
Published