VYPR
Medium severity6.5GHSA Advisory· Published Jun 12, 2026· Updated Jun 15, 2026

CVE-2026-42853

CVE-2026-42853

Description

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@apostrophecms/clinpm
<= 3.6.0

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

1
CVE-2026-42853 · Medium · VYPR