CVE-2026-35569

Source
https://cve.org/CVERecord?id=CVE-2026-35569
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35569.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35569
Aliases
Published
2026-04-15T19:34:23.648Z
Modified
2026-07-08T08:12:59.077582989Z
Severity
  • 8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
ApostropheCMS: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS
Details

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including <title> tags, <meta> attributes, and JSON-LD structured data. An attacker can inject a payload such as "></title><script>alert(1)</script> to break out of the intended HTML context and execute arbitrary JavaScript in the browser of any authenticated user who views the affected page. This can be leveraged to perform authenticated API requests, access sensitive data such as usernames, email addresses, and roles via internal APIs, and exfiltrate it to an attacker-controlled server. This issue has been fixed in version 4.29.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-116",
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35569.json"
}
References

Affected packages

Git / github.com/apostrophecms/apostrophe

Affected ranges

Type
GIT
Repo
https://github.com/apostrophecms/apostrophe
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.29.0"
        }
    ],
    "cpe": "cpe:2.3:a:apostrophecms:apostrophecms:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.1.1
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.3.0
0.3.1
0.3.10
0.3.11
0.3.12
0.3.15
0.3.16
0.3.18
0.3.19
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.4.1
0.4.10
0.4.100
0.4.101
0.4.102
0.4.104
0.4.11
0.4.110
0.4.111
0.4.112
0.4.113
0.4.114
0.4.115
0.4.116
0.4.117
0.4.118
0.4.119
0.4.12
0.4.120
0.4.121
0.4.122
0.4.123
0.4.124
0.4.125
0.4.13
0.4.14
0.4.15
0.4.16
0.4.18
0.4.184
0.4.19
0.4.2
0.4.20
0.4.21
0.4.22
0.4.23
0.4.24
0.4.25
0.4.26
0.4.27
0.4.28
0.4.29
0.4.3
0.4.30
0.4.31
0.4.32
0.4.33
0.4.34
0.4.35
0.4.37
0.4.4
0.4.40
0.4.41
0.4.42
0.4.43
0.4.44
0.4.45
0.4.46
0.4.47
0.4.5
0.4.51
0.4.52
0.4.53
0.4.54
0.4.55
0.4.57
0.4.58
0.4.59
0.4.6
0.4.60
0.4.61
0.4.62
0.4.63
0.4.64
0.4.65
0.4.66
0.4.67
0.4.68
0.4.69
0.4.7
0.4.70
0.4.71
0.4.72
0.4.73
0.4.74
0.4.75
0.4.8
0.4.82
0.4.83
0.4.84
0.4.85
0.4.86
0.4.87
0.4.88
0.4.89
0.4.90
0.4.91
0.4.92
0.4.93
0.4.94
0.4.95
0.4.96
0.4.97
0.4.98
0.4.99
0.5.0
0.5.1
0.5.10
0.5.100
0.5.102
0.5.103
0.5.104
0.5.106
0.5.107
0.5.108
0.5.109
0.5.111
0.5.113
0.5.115
0.5.116
0.5.117
0.5.12
0.5.120
0.5.121
0.5.124
0.5.125
0.5.126
0.5.127
0.5.128
0.5.13
0.5.130
0.5.131
0.5.133
0.5.134
0.5.135
0.5.136
0.5.138
0.5.14
0.5.141
0.5.142
0.5.143
0.5.144
0.5.145
0.5.146
0.5.148
0.5.149
0.5.150
0.5.151
0.5.155
0.5.156
0.5.157
0.5.158
0.5.159
0.5.16
0.5.165
0.5.167
0.5.168
0.5.169
0.5.17
0.5.178
0.5.179
0.5.180
0.5.181
0.5.183
0.5.187
0.5.188
0.5.189
0.5.19
0.5.190
0.5.191
0.5.192
0.5.193
0.5.194
0.5.197
0.5.198
0.5.199
0.5.2
0.5.20
0.5.201
0.5.202
0.5.203
0.5.204
0.5.205
0.5.206
0.5.207
0.5.208
0.5.21
0.5.213
0.5.215
0.5.216
0.5.217
0.5.218
0.5.219
0.5.22
0.5.221
0.5.222
0.5.223
0.5.224
0.5.226
0.5.227
0.5.228
0.5.229
0.5.23
0.5.230
0.5.24
0.5.240
0.5.241
0.5.242
0.5.244
0.5.245
0.5.246
0.5.247
0.5.248
0.5.249
0.5.25
0.5.250
0.5.251
0.5.252
0.5.253
0.5.254
0.5.26
0.5.269
0.5.27
0.5.270
0.5.271
0.5.272
0.5.273
0.5.275
0.5.276
0.5.278
0.5.279
0.5.28
0.5.280
0.5.281
0.5.282
0.5.283
0.5.284
0.5.285
0.5.286
0.5.287
0.5.288
0.5.29
0.5.290
0.5.291
0.5.292
0.5.293
0.5.294
0.5.296
0.5.297
0.5.298
0.5.3
0.5.30
0.5.300
0.5.301
0.5.302
0.5.303
0.5.305
0.5.307
0.5.308
0.5.309
0.5.31
0.5.310
0.5.311
0.5.312
0.5.32
0.5.327
0.5.328
0.5.33
0.5.330
0.5.331
0.5.332
0.5.333
0.5.336
0.5.337
0.5.338
0.5.339
0.5.34
0.5.340
0.5.343
0.5.344
0.5.345
0.5.346
0.5.347
0.5.348
0.5.349
0.5.35
0.5.350
0.5.351
0.5.352
0.5.353
0.5.354
0.5.355
0.5.356
0.5.357
0.5.358
0.5.359
0.5.36
0.5.360
0.5.361
0.5.362
0.5.363
0.5.364
0.5.365
0.5.366
0.5.367
0.5.368
0.5.369
0.5.37
0.5.370
0.5.371
0.5.372
0.5.373
0.5.374
0.5.375
0.5.376
0.5.377
0.5.378
0.5.379
0.5.38
0.5.380
0.5.381
0.5.382
0.5.383
0.5.384
0.5.39
0.5.4
0.5.40
0.5.43
0.5.44
0.5.45
0.5.47
0.5.48
0.5.5
0.5.50
0.5.51
0.5.52
0.5.55
0.5.56
0.5.57
0.5.58
0.5.59
0.5.6
0.5.60
0.5.61
0.5.63
0.5.64
0.5.65
0.5.67
0.5.68
0.5.69
0.5.7
0.5.70
0.5.71
0.5.75
0.5.76
0.5.77
0.5.78
0.5.79
0.5.8
0.5.82
0.5.84
0.5.85
0.5.86
0.5.88
0.5.89
0.5.9
0.5.90
0.5.91
0.5.92
0.5.93
0.5.94
0.5.95
0.5.96
0.5.97
0.5.98
0.5.99
2.*
2.0.1
2.0.2
2.0.3
2.0.4
2.1.1
2.1.2
2.1.3
2.10.0
2.10.1
2.10.2
2.10.3
2.11.0
2.12.0
2.13.0
2.13.1
2.13.2
2.14.0
2.14.1
2.14.2
2.15.0
2.15.1
2.15.2
2.16.0
2.16.1
2.17.0
2.17.1
2.17.2
2.18.0
2.18.1
2.18.2
2.19.0
2.19.1
2.20.1
2.20.2
2.20.3
2.22.0
2.23.0
2.23.1
2.23.2
2.24.0
2.25.0
2.25.1
2.26.0
2.26.1
2.27.0
2.27.1
2.28.0
2.29.0
2.29.1
2.29.2
2.30.0
2.31.0
2.31.1
2.32.0
2.33.0
2.33.1
2.34.0
2.34.1
2.34.2
2.34.3
2.35.0
2.35.1
2.36.0
2.36.1
2.36.2
2.36.3
2.38.0
2.39.0
2.39.1
2.39.2
2.40.0
2.41.0
2.42.0
2.42.1
2.43.0
2.44.0
2.45.0
2.46.0
2.46.1
2.47.0
2.48.0
2.49.0
2.50.0
2.51.0
2.51.1
2.52.0
2.53.0
2.54.0
2.54.1
2.54.2
2.54.3
2.55.0
2.56.0
2.57.0
2.58.0
2.59.0
2.59.1
2.6.1
2.6.2
2.60.0
2.60.1
2.60.2
2.60.3
2.60.4
2.62.0
2.63.0
2.64.0
2.64.1
2.65.0
2.66.0
2.67.0
2.7.0
2.8.0
2.9.0
2.9.1
2.9.2
3.*
3.0.0
3.0.0-alpha.1
3.0.0-alpha.2
3.0.0-alpha.3
3.0.0-alpha.4
3.0.0-alpha.4.2
3.0.0-alpha.5
3.0.0-alpha.6.1
3.0.0-alpha.7
3.0.0-beta.1
3.0.0-beta.1.1
3.0.0-beta.2
3.0.0-beta.3
3.0.1
3.1.0
3.1.2
3.11.0
3.12.0
3.13.0
3.14.0
3.14.1
3.14.2
3.15.0
3.16.0
3.16.1
3.17.0
3.18.0
3.19.0
3.2.0
3.21.0
3.22.0
3.23.0
3.24.0
3.25.0
3.26.0
3.26.1
3.27.0
3.28.0
3.28.1
3.29.0
3.3.0
3.30.0
3.31.0
3.32.0
3.33.0
3.34.0
3.35.0
3.36.0
3.37.0
3.38.0
3.38.1
3.39.0
3.39.2
3.4.0
3.4.1
3.40.0
3.40.1
3.41.1
3.42.0
3.43.0
3.44.0
3.45.0
3.46.0
3.47.0
3.48.0
3.49.0
3.5.0
3.50.0
3.51.0
3.51.1
3.52.0
3.53.0
3.54.0
3.55.0
3.56.0
3.57.0
3.58.0
3.58.1
3.59.0
3.6.0
3.60.0
3.60.1
3.61.0
3.62.0
3.63.1
3.7.0
3.8.0
3.8.1
3.9.0
4.*
4.0.0
4.1.0
4.1.1
4.10.0
4.11.0
4.11.2
4.12.0
4.13.0
4.14.0
4.15.0
4.16.0
4.17.0
4.17.1
4.18.0
4.19.0
4.2.0
4.20.0
4.21.0
4.22.0
4.23.0
4.24.0
4.3.0
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
4.5.2
4.5.3
4.6.0
4.7.0
4.8.0
4.9.0
@apostrophecms/ai-helper@1.*
@apostrophecms/ai-helper@1.0.0-beta.11
@apostrophecms/apostrophe-astro@1.*
@apostrophecms/apostrophe-astro@1.10.0
@apostrophecms/apostrophe-astro@1.8.0
@apostrophecms/apostrophe-astro@1.9.0
@apostrophecms/cli@3.*
@apostrophecms/cli@3.6.0
@apostrophecms/form@1.*
@apostrophecms/form@1.5.3
@apostrophecms/import-export@3.*
@apostrophecms/import-export@3.5.1
@apostrophecms/import-export@3.5.2
@apostrophecms/import-export@3.5.3
@apostrophecms/login-totp@1.*
@apostrophecms/login-totp@1.3.3
@apostrophecms/openapi-generator@1.*
@apostrophecms/openapi-generator@1.0.0
@apostrophecms/seo@1.*
@apostrophecms/seo@1.4.0
@apostrophecms/seo@1.4.1
@apostrophecms/sitemap@1.*
@apostrophecms/sitemap@1.3.0
apostrophe@4.*
apostrophe@4.25.0
apostrophe@4.26.0
apostrophe@4.28.0
apostrophecms-openapi@1.*
apostrophecms-openapi@1.1.0
postcss-viewport-to-container-toggle@2.*
postcss-viewport-to-container-toggle@2.2.0
postcss-viewport-to-container-toggle@2.3.0
sanitize-html@2.*
sanitize-html@2.17.1
sanitize-html@2.17.2
uploadfs@1.*
uploadfs@1.26.1
v0.*
v0.4.68

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35569.json"