These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
ApostropheCMS, an open-source Node.js content management system, has a vulnerability in versions up to and including 4.30.0. When the `prettyUrls: true` option is enabled on `@apostrophecms/file`, a feature for serving uploaded files at clean URLs, an unauthenticated remote attacker can exploit this to pivot the Apostrophe process to issue outbound HTTP requests against any host reachable on the private n [truncated]
CVE-2026-53606 is a vulnerability in the sanitize-html package, used by ApostropheCMS, a Node.js content management system. The vulnerability arises from the `allowedSchemesAppliedToAttributes` configuration, which by default does not include all HTML attributes that accept URIs. This oversight enables `javascript:` URIs to pass through unmodified, potentially leading to Cross-Site Scripting (XSS) attacks [truncated]
ApostropheCMS, an open-source Node.js content management system, is vulnerable to stored cross-site scripting (XSS) via an unsanitized user display name in the draft version tooltip. This vulnerability is identified as CVE-2026-45014 and has a CVSS score of 5.3, categorized as MEDIUM severity. As of the publication date, no patched versions are available. The vulnerability allows an attacker to inject mal [truncated]
ApostropheCMS, an open-source Node.js content management system, has a password reset flow vulnerability in versions up to and including 4.29.0. The vulnerability allows an unauthenticated attacker who knows a victim's email address to send a crafted reset request. This causes the application to email the victim a reset link pointing to the attacker's domain. When the victim clicks the link, the valid res [truncated]
ApostropheCMS, an open-source Node.js content management system, is vulnerable to an authenticated server-side request forgery (SSRF) attack in the rich-text widget import flow. This vulnerability, tracked as CVE-2026-45012, affects versions up to and including 4.29.0. An authenticated user who can submit or edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget [truncated]
ApostropheCMS version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the live site. When another user, including an administrator or public visitor, clicks the affected image/li [truncated]
CVE-2026-44990 is a critical vulnerability in sanitize-html, a Node.js library used by ApostropheCMS. The vulnerability allows an attacker to bypass HTML sanitization, potentially leading to stored XSS attacks. Versions of `sanitize-html` prior to 2.17.4 are affected. The vulnerability has a CVSS score of 9.3 and is considered critical.
ApostropheCMS's @apostrophecms/cli package, up to and including version 3.6.0, contains a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping, allowing execution of arbitrary commands on the host system. As of publication, no patched versions are available.
