Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

apostrophe — Vulnerabilities & Security Advisories 13

All 13 CVE vulnerabilities found in apostrophe, with AI-generated Chinese analysis, references, and POCs.

This page documents aggregate vulnerability data for the Apostrophe product, specifically categorized under open-source web application weaknesses and tagged for developer security awareness. It collects reported security flaws, including cross-site scripting, SQL injection, and access control bypasses, covering incidents disclosed from January 2020 through the present day. By examining this aggregated dataset, users can efficiently track vendor advisories to stay informed about ongoing risk mitigations, gain a deeper understanding of specific weakness classes within the context of modern content management systems, and look up the comprehensive vulnerability history of Apostrophe to assess its long-term security posture. The information presented is derived from publicly available sources, including vendor security bulletins, third-party bug bounty platforms, and community-driven threat intelligence feeds. This approach ensures that security professionals, system administrators, and developers have a centralized reference point for evaluating the safety of their deployments. The content is strictly informational and does not provide direct remediation advice, as solutions may vary based on specific installation configurations and integration requirements. Users are encouraged to consult official documentation and engage with the community for the most accurate and up-to-date guidance on patching and configuration hardening. This resource aims to foster transparency and improve overall ecosystem security by making vulnerability trends and historical data more accessible to all stakeholders involved in the maintenance and evaluation of Apostrophe-based applications.

Vendor: apostrophecms

CVE IDTitleCVSSSeverityPublished
CVE-2026-53609 Apostrophe has Server-Side Prototype Pollution in apos.util.set via patch operators that leads to process-wide authorization bypass CWE-1321 9.1 Critical2026-06-12
CVE-2026-53607 @apostrophecms/file pretty-URL Vulnerable to Unauthenticated SSRF via Host header CWE-918 3.7 Low2026-06-12
CVE-2026-45014 Apostrophe Vulnerable to Stored Cross-Site Scripting via Unsanitized User Display Name in Draft Version Tooltip CWE-79--2026-06-12
CVE-2026-45013 Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation CWE-20 8.1 High2026-06-12
CVE-2026-45012 Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget CWE-918 7.6 High2026-06-12
CVE-2026-45011 Apostrophe has stored XSS via javascript: URL in Image Widget Link CWE-79 7.3 High2026-06-12
CVE-2026-40186 ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements CWE-79 6.1 Medium2026-04-15
CVE-2026-39857 Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field Restrictions CWE-200 5.3 Medium2026-04-15
CVE-2026-35569 ApostropheCMS: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS CWE-79 8.7 High2026-04-15
CVE-2026-33889 ApostropheCMS: Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag Context CWE-79 5.4 Medium2026-04-15
CVE-2026-33888 ApostropheCMS: publicApiProjection Bypass via `project` Query Builder in Piece-Type REST API CWE-863 5.3 Medium2026-04-15
CVE-2026-33877 ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint CWE-208 3.7 Low2026-04-15
CVE-2026-32730 ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware CWE-287 8.1 High2026-03-18

All 13 known CVE vulnerabilities affecting apostrophe with full Chinese analysis, references, and POCs where available.