CVE-2026-35569

HIGH EPSS 21.4%
Published Apr 15, 20262mo ago · Modified Jun 17, 20261w ago
8.7 CVSS 3.1
High
Find Similar
Published Apr 15, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including <title> tags, <meta> attributes, and JSON-LD structured data. An attacker can inject a payload such as "></title><script>alert(1)</script> to break out of the intended HTML context and execute arbitrary JavaScript in the browser of any authenticated user who views the affected page. This can be leveraged to perform authenticated API requests, access sensitive data such as usernames, email addresses, and roles via internal APIs, and exfiltrate it to an attacker-controlled server. This issue has been fixed in version 4.29.0.

CVSS Details

Base Score
8.7
Exploitability
2.3
Impact
5.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
21.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-116
CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
apostrophecmsapostrophecms* <4.29.0

References 3

  • github.com https://github.com/Chittu13/cve-research/tree/main/CVE-2026-35569
  • github.com https://github.com/apostrophecms/apostrophe/commit/0e57dd07a56ae1ba1e3af646ba026db4d0ab5bb3
    Patch
  • github.com https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-855c-r2vq-c292
    ExploitPatchVendor Advisory

Remediation

  • github.com https://github.com/apostrophecms/apostrophe/commit/0e57dd07a56ae1ba1e3af646ba026db4d0ab5bb3
    Patch
  • github.com https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-855c-r2vq-c292
    ExploitPatchVendor Advisory