Medium severity6.5GHSA Advisory· Published Jun 12, 2026· Updated Jun 15, 2026
CVE-2026-42853
CVE-2026-42853
Description
ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@apostrophecms/clinpm | <= 3.6.0 | — |
Affected products
2- Range: <= 3.6.0
Patches
Vulnerability mechanics
References
3News mentions
1- ApostropheCMS: Nine CVEs Disclosed in Single-Day Batch Including Two Critical FlawsVypr Intelligence · Jun 12, 2026