CVE-2026-35569Cross-site Scripting in Apostrophe

CWE-79Cross-site ScriptingCWE-116Improper Encoding or Escaping of Output4 documents4 sources
Severity
8.7HIGHNVD
EPSS
0.0%
top 90.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apostrophecms Apostrophe
Timeline
PublishedApr 15
Latest updateApr 16

Description

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including tags, attributes, and JSON-LD structured data. An attacker can inject a payload such as ">alert(1) to break out of the intended HTML context and execute arbitrary JavaScript in the browser of any aut

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:NExploitability: 2.3 | Impact: 5.8

Affected Packages2 packages

CVEListV5apostrophecms/apostrophe< 4.29.0

🔴Vulnerability Details

3
VulDB
apostrophe up to 4.28.x Meta Description cross site scripting (GHSA-855c-r2vq-c292)2026-04-16
GHSA
Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS2026-04-16
CVEList
ApostropheCMS: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS2026-04-15
CVE-2026-35569 — Cross-site Scripting in Apostrophe | cvebase