apostrophecms
Web & CMS Pluginscommercial
Top products
Latest CVEs
The 15 most recently published vulnerabilities affecting apostrophecms.
- CVE-2026-53609Apostrophe has Server-Side Prototype Pollution in apos.util.set via patch operators that leads to process-wide authorization bypass9.1
- CVE-2026-53608@apostrophecms/seo Vulnerable to Stored XSS via Unsanitized Google Analytics / GTM ID Injected into Script Tag8.7
- CVE-2026-53607@apostrophecms/file pretty-URL Vulnerable to Unauthenticated SSRF via Host header3.7
- CVE-2026-53606sanitize-html has an incomplete URI scheme validation that allows javascript: URIs through action, formaction, data, poster, and background attributes5.4
- CVE-2026-45013Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation8.1
- CVE-2026-45012Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget7.6
- CVE-2026-45011Apostrophe has stored XSS via javascript: URL in Image Widget Link7.3
- CVE-2026-44990Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`9.3
- CVE-2026-42853@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input6.5
- CVE-2026-40186ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements6.1
- CVE-2026-39857Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field Restrictions5.3
- CVE-2026-35569ApostropheCMS: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS8.7
- CVE-2026-33889ApostropheCMS: Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag Context5.4
- CVE-2026-33888ApostropheCMS: publicApiProjection Bypass via `project` Query Builder in Piece-Type REST API5.3
- CVE-2026-33877ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint3.7