Apostrophe

This hub aggregates every CVE we track for Apostrophe, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 14 most recently published vulnerabilities affecting Apostrophe.

• CVE-2026-53609Apostrophe has Server-Side Prototype Pollution in apos.util.set via patch operators that leads to process-wide authorization bypass9.1Jun 12, 2026
• CVE-2026-53607@apostrophecms/file pretty-URL Vulnerable to Unauthenticated SSRF via Host header3.7Jun 12, 2026
• CVE-2026-45013Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation8.1Jun 12, 2026
• CVE-2026-45012Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget7.6Jun 12, 2026
• CVE-2026-45011Apostrophe has stored XSS via javascript: URL in Image Widget Link7.3Jun 12, 2026
• CVE-2026-40186ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements6.1Apr 15, 2026
• CVE-2026-39857Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field Restrictions5.3Apr 15, 2026
• CVE-2026-35569ApostropheCMS: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS8.7Apr 15, 2026
• CVE-2026-33889ApostropheCMS: Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag Context5.4Apr 15, 2026
• CVE-2026-33888ApostropheCMS: publicApiProjection Bypass via `project` Query Builder in Piece-Type REST API5.3Apr 15, 2026
• CVE-2026-33877ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint3.7Apr 15, 2026
• CVE-2026-32730ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware8.1Mar 18, 2026
• CVE-2021-25979Apostrophe - Insufficient Session Expiration9.8Nov 8, 2021
• CVE-2021-25978Apostrophe - XSS5.4Nov 7, 2021