Lucene search
K

4 matches found

OSV
OSV
added 2026/04/16 8:42 p.m.5 views

GHSA-XHQ9-58FW-859P ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API

Summary The getRestQuery method in the @apostrophecms/piece-type module checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request to pre-populate the...

5.3CVSS5.6AI score0.00512EPSS
Exploits1References5
EUVD
EUVD
added 2026/04/16 8:42 p.m.7 views

EUVD-2026-23102

ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API...

5.3CVSS5.8AI score0.00512EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/04/15 7:25 p.m.3 views

CVE-2026-33888 ApostropheCMS: publicApiProjection Bypass via `project` Query Builder in Piece-Type REST API

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying...

5.3CVSS5.7AI score0.00512EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.8 views

PT-2026-33173

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.29.0 Description An authorization bypass exists in the REST API of this open-source Node.js content management system. Unauthenticated attackers can extract all distinct field values for any schema field type...

5.3CVSS5.3AI score0.00435EPSS
Exploits1References7
Rows per page
Query Builder