EUVD-2026-23015

ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint...

CVE-2026-35569 ApostropheCMS: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields SEO Title and Meta Description, where user-controlled input is rendered without proper output encoding into HTML contexts includin...

CVE-2026-33889

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the...

PT-2026-33174

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.29.0 sanitize-html version 2.17.1 Description A regression in the sanitize-html package allows a bypass of allowedTags enforcement for text within nonTextTagsArray elements, specifically textarea and option. T...

ApostropheCMS 安全漏洞

ApostropheCMS is a full-stack content management system open source by Apostrophe Technologies. Version 4.28.0 of ApostropheCMS has a security vulnerability. This vulnerability stems from the sanitize-html package’s ability to bypass the allowedTags enforcement mechanism, potentially leading to...

CVE-2026-32730 ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware

ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in @apostrophecms/express/index.js lines 386-389 contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA...

CVE-2026-32730 ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware

ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in @apostrophecms/express/index.js lines 386-389 contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA...

ApostropheCMS 安全漏洞

ApostropheCMS is a full-stack content management system open source by Apostrophe Technologies. Versions of ApostropheCMS prior to 4.28.0 contained security vulnerabilities, which were caused by incorrect MongoDB queries and could lead to bypassing multi-factor authentication...

com.trendyol:stove-testing-e2e-kafka (>=0.13.0 <=0.13.1) potentially affected by CVE-2024-7254 via com.google.protobuf:protobuf-kotlin (=4.28.0)

com.google.protobuf:protobuf-kotlin MAVEN version =4.28.0 is affected by a known vulnerability. The following packages have a transitive dependency on com.google.protobuf:protobuf-kotlin and may be impacted: - com.trendyol:stove-testing-e2e-kafka =0.13.0, =0.13.1 Source cves: CVE-2024-7254 Source...

build.buf:protovalidate (>=0.3.1 <=0.4.1), cn.loyom.boot:loyom-boot-cache (=1.0.0-JDK21) +113 more potentially affected by CVE-2024-7254 via com.google.protobuf:protobuf-java (>=4.28.0-RC1 <=4.28.1)

com.google.protobuf:protobuf-java MAVEN version =4.28.0-RC1, =0.3.1, =0.4.1 - cn.loyom.boot:loyom-boot-cache =1.0.0-JDK21 - cn.loyom.boot:loyom-boot-common =1.0.0-JDK21 - cn.loyom.boot:loyom-boot-jar-loader =1.0.0-JDK21 - cn.loyom.boot:loyom-boot-plugin =1.0.0-JDK21 -...

4help-app-shared (>=1.0.21 <=1.0.26), 4help-shared (>=1.0.2 <=1.0.20) +3208 more potentially affected by CVE-2023-5654 via react-devtools-core (>=1.0.6 <=4.28.0)

react-devtools-core NPM version =1.0.6, =1.0.21, =1.0.2, =0.0.1, =1.0.0, =0.0.1, =0.0.1, =1.0.22, =0.0.12, =1.2.0, =1.0.4, =0.0.1, =0.0.6 and more Source cves: CVE-2023-5654 Source advisory: OSV:GHSA-RXRC-RGV4-JPVX...

JVN#64453490: Android App "Wolt Delivery: Food and more" uses a hard-coded API key for an external service

Android App "Wolt Delivery: Food and more" provided by Wolt uses a hard-coded API key for an external service CWE-798. Impact The hard-coded API key may be retrieved via reverse-engineering the application binary. Note that the application users are not directly affected by this vulnerability...

CVE-2021-29456

Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on SSO for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to an...

Authorization

Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on SSO for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to an...

CVE-2021-29456 Authelia allows open redirects on the logout endpoint

Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on SSO for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to an...

PT-2021-18228 · Authelia · Authelia

Name of the Vulnerable Software and Affected Versions: Authelia versions 4.27.4 and earlier Description: The issue allows an attacker to redirect users from the web application to any domain, including potentially malicious sites, by utilizing a HTTP query parameter. This does not directly impact...

CVE-2019-11935

Insufficient boundary checks when processing a string in mberegreplace allows access to out-of-bounds memory. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28...

CVE-2019-11930

An invalid free in mbdetectorder can cause the application to crash or potentially result in remote code execution. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, an...

CVE-2019-11930

An invalid free in mbdetectorder can cause the application to crash or potentially result in remote code execution. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, an...