CVE-2026-33889

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the...

CVE-2026-40186

ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements textarea and option...

CVE-2026-39857

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct operations that bypass the publicApiProjection...

@bodonkey/charting-extension (>=1.0.0 <=1.1.0), @stepanjakl/apostrophe-stripe-checkout (>=0.0.1 <=0.0.5) +2 more potentially affected by CVE-2026-45011 via apostrophe (=4.29.0)

apostrophe NPM version =4.29.0 is affected by a known vulnerability. The following packages have a transitive dependency on apostrophe and may be impacted: - @bodonkey/charting-extension =1.0.0, =0.0.1, =0.0.1, =0.0.8 - tfp-procrea =1.0.0 Source cves: CVE-2026-45011 Source advisory:...

NPM: Apostrophe has stored XSS via javascript: URL in Image Widget Link

NPM: Apostrophe has stored XSS via javascript: URL in Image Widget Link vulnerability discovered by ? in WordPress Npm apostrophe versions 4.29.0...

Weak Password Recovery Mechanism for Forgotten Password

Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...

NPM: Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation

NPM: Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation vulnerability discovered by ? in WordPress Npm apostrophe versions = 4.29.0...

@bodonkey/charting-extension (>=1.0.0 <=1.1.0), @draadnl/openstad-cms (>=0.12.2 <=0.12.3) +7 more potentially affected by CVE-2026-45013 via apostrophe (>=0.5.393 <=4.29.0)

apostrophe NPM version =0.5.393, =1.0.0, =0.12.2, =0.0.1, =0.0.1, =2.0.0, =0.5.0, =1.0.0, =1.0.2 - tfp-procrea =1.0.0 Source cves: CVE-2026-45013 Source advisory: OSV:GHSA-GF43-24G3-5HW2...

NPM: Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget

NPM: Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget vulnerability discovered by ? in WordPress Npm apostrophe versions = 4.29.0...

@bodonkey/charting-extension (>=1.0.0 <=1.1.0), @draadnl/openstad-cms (>=0.12.2 <=0.12.3) +7 more potentially affected by CVE-2026-45012 via apostrophe (>=0.5.393 <=4.29.0)

apostrophe NPM version =0.5.393, =1.0.0, =0.12.2, =0.0.1, =0.0.1, =2.0.0, =0.5.0, =1.0.0, =1.0.2 - tfp-procrea =1.0.0 Source cves: CVE-2026-45012 Source advisory: OSV:GHSA-PR28-MF3Q-QPG6...

NPM: Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

NPM: Apostrophe has default XSS via xmp raw-text passthrough in sanitize-html vulnerability discovered by ? in WordPress Npm sanitize-html versions 2.17.3...

GHSA-HCWQ-X9FW-8CFQ @apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

Summary The @apostrophecms/cli package contains a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host...

Command Injection

Overview @apostrophecms/cli is a Commandline generator and configurator for Apostrophe CMS Affected versions of this package are vulnerable to Command Injection via the apos create command when user-supplied input from the password prompt is embedded directly into a shell command without proper...

@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

Summary The @apostrophecms/cli package contains a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host...

PT-2026-41153

Summary A stored cross-site scripting vulnerability was identified in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the liv...

CVE-2026-42853

creationtimestamp| type| source ---|---|--- 2026-05-13 19:29:14+00:00| published-proof-of-concept| https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-hcwq-x9fw-8cfq...

CVE-2026-44990

creationtimestamp| type| source ---|---|--- 2026-05-13 19:28:52+00:00| published-proof-of-concept| https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643...

GHSA-C276-FJ82-F2PQ ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions

Summary The choices and counts query parameters in the Apostrophe CMS REST API allow unauthenticated users to extract distinct field values for any schema field that has a registered query builder, completely bypassing publicApiProjection restrictions that are intended to limit which fields are...

@draadnl/openstad-cms (>=0.12.2 <=0.12.3), apostrophe-personas (>=2.0.0 <=2.2.1) +3 more potentially affected by CVE-2026-33889 via apostrophe (>=0.5.393 <=2.227.12)

apostrophe NPM version =0.5.393, =0.12.2, =2.0.0, =0.5.0, =1.0.0, =1.0.2 Source cves: CVE-2026-33889 Source advisory: OSV:GHSA-97V6-998M-FP4G...

@draadnl/openstad-cms (>=0.12.2 <=0.12.3), apostrophe-personas (>=2.0.0 <=2.2.1) +3 more potentially affected by CVE-2026-33888 via apostrophe (>=0.5.393 <=2.227.12)

apostrophe NPM version =0.5.393, =0.12.2, =2.0.0, =0.5.0, =1.0.0, =1.0.2 Source cves: CVE-2026-33888 Source advisory: OSV:GHSA-XHQ9-58FW-859P...