99 matches found
PT-2026-41153
Name of the Vulnerable Software and Affected Versions ApostropheCMS version 4.29.0 Description A stored cross-site scripting issue exists in the image widget functionality. A user with the Editor or Contributor role can configure an image widget link using a javascript: URL payload. Since editors...
CVE-2026-42853
creationtimestamp| type| source ---|---|--- 2026-05-13 19:29:14+00:00| published-proof-of-concept| https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-hcwq-x9fw-8cfq 2026-06-12 22:43:03+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mo4sqe3uag2q...
CVE-2026-44990
creationtimestamp| type| source ---|---|--- 2026-05-13 19:28:52+00:00| published-proof-of-concept| https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643...
GHSA-C276-FJ82-F2PQ ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions
Summary The choices and counts query parameters in the Apostrophe CMS REST API allow unauthenticated users to extract distinct field values for any schema field that has a registered query builder, completely bypassing publicApiProjection restrictions that are intended to limit which fields are...
@draadnl/openstad-cms (>=0.12.2 <=0.12.3), apostrophe-personas (>=2.0.0 <=2.2.1) +3 more potentially affected by CVE-2026-33889 via apostrophe (>=0.5.393 <=2.227.12)
apostrophe NPM version =0.5.393, =0.12.2, =2.0.0, =0.5.0, =1.0.0, =1.0.2 Source cves: CVE-2026-33889 Source advisory: OSV:GHSA-97V6-998M-FP4G...
@draadnl/openstad-cms (>=0.12.2 <=0.12.3), apostrophe-personas (>=2.0.0 <=2.2.1) +3 more potentially affected by CVE-2026-33888 via apostrophe (>=0.5.393 <=2.227.12)
apostrophe NPM version =0.5.393, =0.12.2, =2.0.0, =0.5.0, =1.0.0, =1.0.2 Source cves: CVE-2026-33888 Source advisory: OSV:GHSA-XHQ9-58FW-859P...
@draadnl/openstad-cms (>=0.12.2 <=0.12.3), apostrophe-personas (>=2.0.0 <=2.2.1) +3 more potentially affected by CVE-2026-33877 via apostrophe (>=0.5.393 <=2.227.12)
apostrophe NPM version =0.5.393, =0.12.2, =2.0.0, =0.5.0, =1.0.0, =1.0.2 Source cves: CVE-2026-33877 Source advisory: OSV:GHSA-MJ7R-X3H3-7RMR...
EUVD-2026-23015
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint...
Cross-site Scripting (XSS)
Overview @apostrophecms/seo is a SEO Tools for ApostropheCMS Affected versions of this package are vulnerable to Cross-site Scripting XSS in renderNodes, via SEO Title and Meta Description values, where user-controlled input is rendered without proper output encoding into HTML contexts such as...
Cross-site Scripting (XSS)
Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...
CVE-2026-39857 Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field Restrictions
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct operations that bypass the publicApiProjection...
CVE-2026-33877
CVE-2026-33877 affects ApostropheCMS (Node.js). Versions up to 4.28.0 contain a timing side-channel in the password reset endpoint /api/v1/@apostrophecms/login/reset-request, enabling unauthenticated enumeration of usernames/emails via differences in response time. When no user is found, the hand...
CVE-2026-33877
creationtimestamp| type| source ---|---|--- 2026-04-15 17:07:19+00:00| published-proof-of-concept| https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mj7r-x3h3-7rmr...
CVE-2026-33888
creationtimestamp| type| source ---|---|--- 2026-04-15 17:06:23+00:00| published-proof-of-concept| https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-xhq9-58fw-859p...
PT-2026-33171
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the...
CVE-2026-32731
ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of @apostrophecms/import-export, The extract function in gzip.js constructs file-write paths using fs.createWriteStreampath.joinexportPath, header.name. path.join does not resolve or sanitise traversal segments...
ApostropheCMS 安全漏洞
ApostropheCMS is a full-stack content management system open source by Apostrophe Technologies. Versions of ApostropheCMS prior to 4.28.0 contained security vulnerabilities, which were caused by incorrect MongoDB queries and could lead to bypassing multi-factor authentication...
EUVD-2021-2296
Malware in sbrugna...
EUVD-2021-2330
Malware in sbrugna...
EUVD-2021-23000
Malware in sbrugna...