VYPR

Vendor CVEs

Apostrophecms

All CVEs

22 total · sorted by risk
  • CVE-2026-53609CriJun 12, 2026
    risk 0.59cvss 9.1epss 0.00

    ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, `apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing an authenticated editor to write arbitrary values to `Object.prototype` via the…

  • CVE-2026-53608HigJun 12, 2026
    risk 0.57cvss 8.7epss 0.00

    ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the `@apostrophecms/seo` package injects the Google Analytics Tracking ID (`seoGoogleTrackingId`) and Google Tag Manager ID (`seoGoogleTagManager`) directly into ``…

  • CVE-2026-45013HigJun 12, 2026
    risk 0.53cvss 8.1epss 0.00

    ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that constructs the reset URL using `req.hostname`, which is derived directly from the attacker-controlled HTTP `Host` header when `apos.baseUrl` is…

  • CVE-2026-44990CriJun 12, 2026
    risk 0.53cvss 9.3epss 0.00

    ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp`…

  • CVE-2026-35569HigApr 15, 2026
    risk 0.50cvss 8.7epss 0.00

    ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into…

  • CVE-2026-45012HigJun 12, 2026
    risk 0.49cvss 7.6epss 0.00

    ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 contain an authenticated server-side request forgery (SSRF) in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause…

  • CVE-2026-45011HigJun 12, 2026
    risk 0.47cvss 7.3epss 0.00

    ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors…

  • CVE-2026-42853MedJun 12, 2026
    risk 0.42cvss 6.5epss 0.00

    ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a…

  • CVE-2026-53606MedJun 12, 2026
    risk 0.35cvss 5.4epss 0.00

    ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the…

  • CVE-2026-45014MedJun 12, 2026
    risk 0.34cvss epss 0.00

    ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 are vulnerable to stored cross-site scripting via unsanitized user display name in draft version tooltip. As of time of publication, no known patched versions are available.

  • CVE-2026-40186MedApr 15, 2026
    risk 0.33cvss 6.1epss 0.00

    ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea…

  • CVE-2026-33889MedApr 15, 2026
    risk 0.28cvss 5.4epss 0.00

    ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom…

  • CVE-2026-39857MedApr 15, 2026
    risk 0.27cvss 5.3epss 0.00

    ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct() operations that bypass the…

  • CVE-2026-33888MedApr 15, 2026
    risk 0.27cvss 5.3epss 0.01

    ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been…

  • CVE-2026-53607LowJun 12, 2026
    risk 0.24cvss 3.7epss 0.00

    ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, when `prettyUrls: true` is enabled on `@apostrophecms/file` (a documented SEO feature for serving uploaded files at clean URLs), the public pretty-URL handler builds the…

  • CVE-2026-33877LowApr 15, 2026
    risk 0.17cvss 3.7epss 0.00

    ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a…

  • CVE-2026-32730Mar 18, 2026
    risk 0.00cvss epss 0.00

    ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password…

  • CVE-2019-25225Sep 8, 2025
    risk 0.00cvss epss 0.00

    `sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result,…

  • CVE-2024-21501Feb 24, 2024
    risk 0.00cvss epss 0.01

    Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to…

  • CVE-2022-25887Aug 30, 2022
    risk 0.00cvss epss 0.01

    The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.

  • CVE-2021-25979Nov 8, 2021
    risk 0.00cvss epss 0.01

    Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older…

  • CVE-2021-25978Nov 7, 2021
    risk 0.00cvss epss 0.00

    Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed.