Lucene search
K

99 matches found

Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.16 views

PT-2026-41153

Name of the Vulnerable Software and Affected Versions ApostropheCMS version 4.29.0 Description A stored cross-site scripting issue exists in the image widget functionality. A user with the Editor or Contributor role can configure an image widget link using a javascript: URL payload. Since editors...

7.3CVSS4.6AI score0.00211EPSS
Exploits0References10
Circl
Circl
added 2026/05/13 7:29 p.m.10 views

CVE-2026-42853

creationtimestamp| type| source ---|---|--- 2026-05-13 19:29:14+00:00| published-proof-of-concept| https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-hcwq-x9fw-8cfq 2026-06-12 22:43:03+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mo4sqe3uag2q...

6.5CVSS5AI score0.00428EPSS
Exploits0References2
Circl
Circl
added 2026/05/13 7:28 p.m.9 views

CVE-2026-44990

creationtimestamp| type| source ---|---|--- 2026-05-13 19:28:52+00:00| published-proof-of-concept| https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643...

9.3CVSS5.8AI score0.00397EPSS
Exploits0References1
OSV
OSV
added 2026/04/16 8:45 p.m.8 views

GHSA-C276-FJ82-F2PQ ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions

Summary The choices and counts query parameters in the Apostrophe CMS REST API allow unauthenticated users to extract distinct field values for any schema field that has a registered query builder, completely bypassing publicApiProjection restrictions that are intended to limit which fields are...

5.3CVSS5.9AI score0.00435EPSS
Exploits1References4
vulnersOsv
vulnersOsv
added 2026/04/16 8:42 p.m.7 views

@draadnl/openstad-cms (>=0.12.2 <=0.12.3), apostrophe-personas (>=2.0.0 <=2.2.1) +3 more potentially affected by CVE-2026-33889 via apostrophe (>=0.5.393 <=2.227.12)

apostrophe NPM version =0.5.393, =0.12.2, =2.0.0, =0.5.0, =1.0.0, =1.0.2 Source cves: CVE-2026-33889 Source advisory: OSV:GHSA-97V6-998M-FP4G...

5.4CVSS5.8AI score0.0021EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/16 8:42 p.m.5 views

@draadnl/openstad-cms (>=0.12.2 <=0.12.3), apostrophe-personas (>=2.0.0 <=2.2.1) +3 more potentially affected by CVE-2026-33888 via apostrophe (>=0.5.393 <=2.227.12)

apostrophe NPM version =0.5.393, =0.12.2, =2.0.0, =0.5.0, =1.0.0, =1.0.2 Source cves: CVE-2026-33888 Source advisory: OSV:GHSA-XHQ9-58FW-859P...

5.3CVSS5.8AI score0.00512EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/16 8:42 p.m.5 views

@draadnl/openstad-cms (>=0.12.2 <=0.12.3), apostrophe-personas (>=2.0.0 <=2.2.1) +3 more potentially affected by CVE-2026-33877 via apostrophe (>=0.5.393 <=2.227.12)

apostrophe NPM version =0.5.393, =0.12.2, =2.0.0, =0.5.0, =1.0.0, =1.0.2 Source cves: CVE-2026-33877 Source advisory: OSV:GHSA-MJ7R-X3H3-7RMR...

3.7CVSS5.8AI score0.00365EPSS
Exploits1
EUVD
EUVD
added 2026/04/16 8:42 p.m.6 views

EUVD-2026-23015

ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint...

3.7CVSS5.8AI score0.00365EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/15 9:26 p.m.3 views

Cross-site Scripting (XSS)

Overview @apostrophecms/seo is a SEO Tools for ApostropheCMS Affected versions of this package are vulnerable to Cross-site Scripting XSS in renderNodes, via SEO Title and Meta Description values, where user-controlled input is rendered without proper output encoding into HTML contexts such as...

8.7CVSS5.5AI score0.00298EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 9:26 p.m.4 views

Cross-site Scripting (XSS)

Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...

6.1CVSS5.6AI score0.0021EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/15 7:38 p.m.18 views

CVE-2026-39857 Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field Restrictions

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct operations that bypass the publicApiProjection...

5.3CVSS0.00435EPSS
Exploits1References2
CVE
CVE
added 2026/04/15 7:11 p.m.15 views

CVE-2026-33877

CVE-2026-33877 affects ApostropheCMS (Node.js). Versions up to 4.28.0 contain a timing side-channel in the password reset endpoint /api/v1/@apostrophecms/login/reset-request, enabling unauthenticated enumeration of usernames/emails via differences in response time. When no user is found, the hand...

3.7CVSS5.8AI score0.00365EPSS
Exploits1References2Affected Software1
Circl
Circl
added 2026/04/15 5:7 p.m.9 views

CVE-2026-33877

creationtimestamp| type| source ---|---|--- 2026-04-15 17:07:19+00:00| published-proof-of-concept| https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mj7r-x3h3-7rmr...

3.7CVSS5.3AI score0.00365EPSS
Exploits1References1
Circl
Circl
added 2026/04/15 5:6 p.m.7 views

CVE-2026-33888

creationtimestamp| type| source ---|---|--- 2026-04-15 17:06:23+00:00| published-proof-of-concept| https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-xhq9-58fw-859p...

5.3CVSS5.3AI score0.00512EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.13 views

PT-2026-33171

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the...

5.4CVSS5.8AI score0.0021EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.7 views

CVE-2026-32731

ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of @apostrophecms/import-export, The extract function in gzip.js constructs file-write paths using fs.createWriteStreampath.joinexportPath, header.name. path.join does not resolve or sanitise traversal segments...

9.9CVSS5.7AI score0.00432EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/03/18 12:0 a.m.7 views

ApostropheCMS 安全漏洞

ApostropheCMS is a full-stack content management system open source by Apostrophe Technologies. Versions of ApostropheCMS prior to 4.28.0 contained security vulnerabilities, which were caused by incorrect MongoDB queries and could lead to bypassing multi-factor authentication...

8.1CVSS5.8AI score0.00362EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.7 views

EUVD-2021-2296

Malware in sbrugna...

5.4CVSS5.4AI score0.00483EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2021-2330

Malware in sbrugna...

9.8CVSS9.3AI score0.01103EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2021-23000

Malware in sbrugna...

10CVSS9.2AI score0.02736EPSS
Exploits0References4
Rows per page
Query Builder