CVE-2026-39857Sensitive Information Exposure in Apostrophe

CWE-200Sensitive Information Exposure4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 89.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apostrophecms Apostrophe
Timeline
PublishedApr 15
Latest updateApr 16

Description

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct() operations that bypass the publicApiProjection restrictions intended to limit which fields are exposed publicly. The choices and counts parameters are processed via applyBuildersSafely before the projection is applied, and MongoDB's distinct opera

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5apostrophecms/apostrophe< 4.29.0

🔴Vulnerability Details

3
GHSA
ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions2026-04-16
VulDB
apostrophe up to 4.28.x REST API distinct information disclosure (GHSA-c276-fj82-f2pq)2026-04-16
CVEList
Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field Restrictions2026-04-15
CVE-2026-39857 — Sensitive Information Exposure | cvebase