Apostrophecms Apostrophe vulnerabilities

CVE-2026-35569 [HIGH] CWE-79 CVE-2026-35569: ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including tags, attributes, and JSON-LD structured data. An att

CVE-2026-33889 [MEDIUM] CWE-79 CVE-2026-33889: ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without

CVE-2026-40186 [MEDIUM] CWE-79 CVE-2026-40186: ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). ApostropheCMS version 4.28.0 is affected through its dependenc

CVE-2026-33888 [MEDIUM] CWE-200 CVE-2026-33888: ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthent

CVE-2026-39857 [MEDIUM] CWE-200 CVE-2026-39857: ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct() operations that bypass the publicApiProjection restrictions intended to limit which fields are exp

CVE-2026-33877 [LOW] CWE-208 CVE-2026-33877: ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, the handler returns after a fixed 2-second artificial d

CVE-2026-32730 [HIGH] CWE-287 CVE-2026-32730: ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer to ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authent