Apostrophecms

Apostrophecms

9 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2026-40186

Exploit
  • EPSS 0.01%
  • Veröffentlicht 15.04.2026 20:15:12
  • Zuletzt bearbeitet 25.04.2026 18:15:17

ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTa...

5.3

CVE-2026-39857

Exploit
  • EPSS 0.02%
  • Veröffentlicht 15.04.2026 19:38:57
  • Zuletzt bearbeitet 20.04.2026 17:03:00

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct...

8.7

CVE-2026-35569

Exploit
  • EPSS 0.04%
  • Veröffentlicht 15.04.2026 19:34:23
  • Zuletzt bearbeitet 30.04.2026 21:16:32

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without p...

5.4

CVE-2026-33889

Exploit
  • EPSS 0.01%
  • Veröffentlicht 15.04.2026 19:29:50
  • Zuletzt bearbeitet 20.04.2026 17:03:43

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation...

5.3

CVE-2026-33888

Exploit
  • EPSS 0.08%
  • Veröffentlicht 15.04.2026 19:25:46
  • Zuletzt bearbeitet 20.04.2026 17:04:34

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB p...

3.7

CVE-2026-33877

Exploit
  • EPSS 0.02%
  • Veröffentlicht 15.04.2026 19:11:06
  • Zuletzt bearbeitet 20.04.2026 17:05:47

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username ...

8.1

CVE-2026-32730

Exploit
  • EPSS 0.1%
  • Veröffentlicht 18.03.2026 22:00:14
  • Zuletzt bearbeitet 24.03.2026 21:34:09

ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login to...

7.5

CVE-2021-25979

  • EPSS 0.36%
  • Veröffentlicht 08.11.2021 15:15:07
  • Zuletzt bearbeitet 21.11.2024 05:55:43

Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a...

5.4

CVE-2021-25978

  • EPSS 0.21%
  • Veröffentlicht 07.11.2021 18:15:07
  • Zuletzt bearbeitet 21.11.2024 05:55:43

Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed.