cbcvebase.

Apostrophecms Apostrophe vulnerabilities

13 known vulnerabilities affecting apostrophecms/apostrophe.

Total CVEs
13
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH5MEDIUM5LOW2

Vulnerabilities

Page 1 of 1
CVE-2026-53609P2CRITICALCVSS 9.1≤ 4.30.02026-06-12
CVE-2026-53609 [CRITICAL] CWE-1321 CVE-2026-53609: ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4 ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, `apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing an authenticated editor to write arbitrary values to `Object.prototype` via the `$pullAll` patch operator. A confirmed gadget in `publicApiCheck()` cause
nvd
CVE-2026-32730P3HIGHCVSS 8.1fixed in 4.28.02026-03-18
CVE-2026-32730 [HIGH] CWE-287 CVE-2026-32730: ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer to ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authent
ghsanvdosv
CVE-2026-45013P3HIGHCVSS 8.1≤ 4.29.02026-06-12
CVE-2026-45013 [HIGH] CWE-20 CVE-2026-45013: ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29 ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that constructs the reset URL using `req.hostname`, which is derived directly from the attacker-controlled HTTP `Host` header when `apos.baseUrl` is not explicitly configured. An unauthenticated attacker who knows a victim's
nvd
CVE-2026-45012P3HIGHCVSS 7.6≤ 4.29.02026-06-12
CVE-2026-45012 [HIGH] CWE-918 CVE-2026-45012: ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29 ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 contain an authenticated server-side request forgery (SSRF) in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget validation. For i
nvd
CVE-2026-35569P3HIGHCVSS 8.7fixed in 4.29.02026-04-15
CVE-2026-35569 [HIGH] CWE-79 CVE-2026-35569: ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including tags, attributes, and JSON-LD structured data. An att
ghsanvd
CVE-2026-45011P3HIGHCVSS 7.3v= 4.29.02026-06-12
CVE-2026-45011 [HIGH] CWE-79 CVE-2026-45011: ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to t
nvd
CVE-2026-33888P3MEDIUMCVSS 5.3fixed in 4.29.02026-04-15
CVE-2026-33888 [MEDIUM] CWE-200 CVE-2026-33888: ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthent
ghsanvd
CVE-2026-39857P4MEDIUMCVSS 5.3fixed in 4.29.02026-04-15
CVE-2026-39857 [MEDIUM] CWE-200 CVE-2026-39857: ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct() operations that bypass the publicApiProjection restrictions intended to limit which fields are exp
ghsanvd
CVE-2026-45014P4MEDIUMCVSS 5.3≤ 4.29.02026-06-12
CVE-2026-45014 [MEDIUM] CWE-79 CVE-2026-45014: ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29 ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 are vulnerable to stored cross-site scripting via unsanitized user display name in draft version tooltip. As of time of publication, no known patched versions are available.
nvd
CVE-2026-40186P4MEDIUMCVSS 6.1v>= 4.28.0, < 4.29.02026-04-15
CVE-2026-40186 [MEDIUM] CWE-79 CVE-2026-40186: ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). ApostropheCMS version 4.28.0 is affected through its dependenc
nvd
CVE-2026-33889P4MEDIUMCVSS 5.4fixed in 4.29.02026-04-15
CVE-2026-33889 [MEDIUM] CWE-79 CVE-2026-33889: ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without
ghsanvd
CVE-2026-53607P4LOWCVSS 3.7≤ 4.30.02026-06-12
CVE-2026-53607 [LOW] CWE-918 CVE-2026-53607: ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4 ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, when `prettyUrls: true` is enabled on `@apostrophecms/file` (a documented SEO feature for serving uploaded files at clean URLs), the public pretty-URL handler builds the upstream URL using the raw `Host` HTTP request header. That URL is then `fetc
nvd
CVE-2026-33877P4LOWCVSS 3.7fixed in 4.29.02026-04-15
CVE-2026-33877 [LOW] CWE-208 CVE-2026-33877: ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, the handler returns after a fixed 2-second artificial d
ghsanvd
Apostrophecms Apostrophe vulnerabilities | cvebase