CVE-2026-33877

🗓️ 15 Apr 2026 19:11:06Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 9 Views🌐 WEB

CVE-2026-33877: Timing side-channel enables user enumeration via password reset in ApostropheCMS; fixed in 4.29.0.

Reporter	Title	Published	Views	Family All 13
ATTACKERKB	CVE-2026-33877	15 Apr 202619:11	–	attackerkb
Circl	CVE-2026-33877	15 Apr 202617:07	–	circl
CNNVD	ApostropheCMS 安全漏洞	15 Apr 202600:00	–	cnnvd
Cvelist	CVE-2026-33877 ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint	15 Apr 202619:11	–	cvelist
EUVD	EUVD-2026-23015	16 Apr 202620:42	–	euvd
Github Security Blog	ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint	16 Apr 202620:42	–	github
NVD	CVE-2026-33877	15 Apr 202620:16	–	nvd
OSV	GHSA-MJ7R-X3H3-7RMR ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint	16 Apr 202620:42	–	osv
Positive Technologies	PT-2026-33119	15 Apr 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-33877	5 Jun 202619:46	–	redhatcve

NVD

Vulners

Node

apostrophecms apostrophecmsRange<4.29.0

[
  {
    "vendor": "apostrophecms",
    "product": "apostrophe",
    "versions": [
      {
        "version": "< 4.29.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/apostrophecms/apostrophe/commit/e266cffd8c0d331a9b05c92bf11616556efcdc77
github	www.github.com/apostrophecms/apostrophe/security/advisories/GHSA-mj7r-x3h3-7rmr

Parameter	Position	Path	Description	CWE
username	request body	/api/v1/@apostrophecms/login/reset-request	Timing side-channel vulnerability allowing unauthenticated enumeration of valid accounts via the password reset endpoint.	CWE-208
email	request body	/api/v1/@apostrophecms/login/reset-request	Timing side-channel vulnerability allowing unauthenticated enumeration of valid accounts via the password reset endpoint.	CWE-208

17 Jun 2026 10:38Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.13.7

EPSS0.00365

SSVC

CWE-208