CVE-2026-53609

Source
https://cve.org/CVERecord?id=CVE-2026-53609
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53609.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53609
Aliases
  • GHSA-6h5j-32cf-4253
Published
2026-06-12T20:59:25.486Z
Modified
2026-07-08T08:11:31.107990865Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L CVSS Calculator
Summary
Apostrophe has Server-Side Prototype Pollution in apos.util.set via patch operators that leads to process-wide authorization bypass
Details

ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, apos.util.set() traverses dot-notation paths without sanitizing __proto__, allowing an authenticated editor to write arbitrary values to Object.prototype via the $pullAll patch operator. A confirmed gadget in publicApiCheck() causes this to bypass authorization on all piece-type REST API endpoints for every subsequent unauthenticated request, for the lifetime of the Node.js process. As of time of publication, no known patched versions are available.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53609.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1321"
    ]
}
References

Affected packages

Git / github.com/apostrophecms/apostrophe

Affected ranges

Type
GIT
Repo
https://github.com/apostrophecms/apostrophe
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.30.0"
        }
    ]
}

Affected versions

0.*
0.1.1
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.3.0
0.3.1
0.3.10
0.3.11
0.3.12
0.3.15
0.3.16
0.3.18
0.3.19
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.4.1
0.4.10
0.4.100
0.4.101
0.4.102
0.4.104
0.4.11
0.4.110
0.4.111
0.4.112
0.4.113
0.4.114
0.4.115
0.4.116
0.4.117
0.4.118
0.4.119
0.4.12
0.4.120
0.4.121
0.4.122
0.4.123
0.4.124
0.4.125
0.4.13
0.4.14
0.4.15
0.4.16
0.4.18
0.4.184
0.4.19
0.4.2
0.4.20
0.4.21
0.4.22
0.4.23
0.4.24
0.4.25
0.4.26
0.4.27
0.4.28
0.4.29
0.4.3
0.4.30
0.4.31
0.4.32
0.4.33
0.4.34
0.4.35
0.4.37
0.4.4
0.4.40
0.4.41
0.4.42
0.4.43
0.4.44
0.4.45
0.4.46
0.4.47
0.4.5
0.4.51
0.4.52
0.4.53
0.4.54
0.4.55
0.4.57
0.4.58
0.4.59
0.4.6
0.4.60
0.4.61
0.4.62
0.4.63
0.4.64
0.4.65
0.4.66
0.4.67
0.4.68
0.4.69
0.4.7
0.4.70
0.4.71
0.4.72
0.4.73
0.4.74
0.4.75
0.4.8
0.4.82
0.4.83
0.4.84
0.4.85
0.4.86
0.4.87
0.4.88
0.4.89
0.4.90
0.4.91
0.4.92
0.4.93
0.4.94
0.4.95
0.4.96
0.4.97
0.4.98
0.4.99
0.5.0
0.5.1
0.5.10
0.5.100
0.5.102
0.5.103
0.5.104
0.5.106
0.5.107
0.5.108
0.5.109
0.5.111
0.5.113
0.5.115
0.5.116
0.5.117
0.5.12
0.5.120
0.5.121
0.5.124
0.5.125
0.5.126
0.5.127
0.5.128
0.5.13
0.5.130
0.5.131
0.5.133
0.5.134
0.5.135
0.5.136
0.5.138
0.5.14
0.5.141
0.5.142
0.5.143
0.5.144
0.5.145
0.5.146
0.5.148
0.5.149
0.5.150
0.5.151
0.5.155
0.5.156
0.5.157
0.5.158
0.5.159
0.5.16
0.5.165
0.5.167
0.5.168
0.5.169
0.5.17
0.5.178
0.5.179
0.5.180
0.5.181
0.5.183
0.5.187
0.5.188
0.5.189
0.5.19
0.5.190
0.5.191
0.5.192
0.5.193
0.5.194
0.5.197
0.5.198
0.5.199
0.5.2
0.5.20
0.5.201
0.5.202
0.5.203
0.5.204
0.5.205
0.5.206
0.5.207
0.5.208
0.5.21
0.5.213
0.5.215
0.5.216
0.5.217
0.5.218
0.5.219
0.5.22
0.5.221
0.5.222
0.5.223
0.5.224
0.5.226
0.5.227
0.5.228
0.5.229
0.5.23
0.5.230
0.5.24
0.5.240
0.5.241
0.5.242
0.5.244
0.5.245
0.5.246
0.5.247
0.5.248
0.5.249
0.5.25
0.5.250
0.5.251
0.5.252
0.5.253
0.5.254
0.5.26
0.5.269
0.5.27
0.5.270
0.5.271
0.5.272
0.5.273
0.5.275
0.5.276
0.5.278
0.5.279
0.5.28
0.5.280
0.5.281
0.5.282
0.5.283
0.5.284
0.5.285
0.5.286
0.5.287
0.5.288
0.5.29
0.5.290
0.5.291
0.5.292
0.5.293
0.5.294
0.5.296
0.5.297
0.5.298
0.5.3
0.5.30
0.5.300
0.5.301
0.5.302
0.5.303
0.5.305
0.5.307
0.5.308
0.5.309
0.5.31
0.5.310
0.5.311
0.5.312
0.5.32
0.5.327
0.5.328
0.5.33
0.5.330
0.5.331
0.5.332
0.5.333
0.5.336
0.5.337
0.5.338
0.5.339
0.5.34
0.5.340
0.5.343
0.5.344
0.5.345
0.5.346
0.5.347
0.5.348
0.5.349
0.5.35
0.5.350
0.5.351
0.5.352
0.5.353
0.5.354
0.5.355
0.5.356
0.5.357
0.5.358
0.5.359
0.5.36
0.5.360
0.5.361
0.5.362
0.5.363
0.5.364
0.5.365
0.5.366
0.5.367
0.5.368
0.5.369
0.5.37
0.5.370
0.5.371
0.5.372
0.5.373
0.5.374
0.5.375
0.5.376
0.5.377
0.5.378
0.5.379
0.5.38
0.5.380
0.5.381
0.5.382
0.5.383
0.5.384
0.5.39
0.5.4
0.5.40
0.5.43
0.5.44
0.5.45
0.5.47
0.5.48
0.5.5
0.5.50
0.5.51
0.5.52
0.5.55
0.5.56
0.5.57
0.5.58
0.5.59
0.5.6
0.5.60
0.5.61
0.5.63
0.5.64
0.5.65
0.5.67
0.5.68
0.5.69
0.5.7
0.5.70
0.5.71
0.5.75
0.5.76
0.5.77
0.5.78
0.5.79
0.5.8
0.5.82
0.5.84
0.5.85
0.5.86
0.5.88
0.5.89
0.5.9
0.5.90
0.5.91
0.5.92
0.5.93
0.5.94
0.5.95
0.5.96
0.5.97
0.5.98
0.5.99
2.*
2.0.1
2.0.2
2.0.3
2.0.4
2.1.1
2.1.2
2.1.3
2.10.0
2.10.1
2.10.2
2.10.3
2.11.0
2.12.0
2.13.0
2.13.1
2.13.2
2.14.0
2.14.1
2.14.2
2.15.0
2.15.1
2.15.2
2.16.0
2.16.1
2.17.0
2.17.1
2.17.2
2.18.0
2.18.1
2.18.2
2.19.0
2.19.1
2.20.1
2.20.2
2.20.3
2.22.0
2.23.0
2.23.1
2.23.2
2.24.0
2.25.0
2.25.1
2.26.0
2.26.1
2.27.0
2.27.1
2.28.0
2.29.0
2.29.1
2.29.2
2.30.0
2.31.0
2.31.1
2.32.0
2.33.0
2.33.1
2.34.0
2.34.1
2.34.2
2.34.3
2.35.0
2.35.1
2.36.0
2.36.1
2.36.2
2.36.3
2.38.0
2.39.0
2.39.1
2.39.2
2.40.0
2.41.0
2.42.0
2.42.1
2.43.0
2.44.0
2.45.0
2.46.0
2.46.1
2.47.0
2.48.0
2.49.0
2.50.0
2.51.0
2.51.1
2.52.0
2.53.0
2.54.0
2.54.1
2.54.2
2.54.3
2.55.0
2.56.0
2.57.0
2.58.0
2.59.0
2.59.1
2.6.1
2.6.2
2.60.0
2.60.1
2.60.2
2.60.3
2.60.4
2.62.0
2.63.0
2.64.0
2.64.1
2.65.0
2.66.0
2.67.0
2.7.0
2.8.0
2.9.0
2.9.1
2.9.2
3.*
3.0.0
3.0.0-alpha.1
3.0.0-alpha.2
3.0.0-alpha.3
3.0.0-alpha.4
3.0.0-alpha.4.2
3.0.0-alpha.5
3.0.0-alpha.6.1
3.0.0-alpha.7
3.0.0-beta.1
3.0.0-beta.1.1
3.0.0-beta.2
3.0.0-beta.3
3.0.1
3.1.0
3.1.2
3.11.0
3.12.0
3.13.0
3.14.0
3.14.1
3.14.2
3.15.0
3.16.0
3.16.1
3.17.0
3.18.0
3.19.0
3.2.0
3.21.0
3.22.0
3.23.0
3.24.0
3.25.0
3.26.0
3.26.1
3.27.0
3.28.0
3.28.1
3.29.0
3.3.0
3.30.0
3.31.0
3.32.0
3.33.0
3.34.0
3.35.0
3.36.0
3.37.0
3.38.0
3.38.1
3.39.0
3.39.2
3.4.0
3.4.1
3.40.0
3.40.1
3.41.1
3.42.0
3.43.0
3.44.0
3.45.0
3.46.0
3.47.0
3.48.0
3.49.0
3.5.0
3.50.0
3.51.0
3.51.1
3.52.0
3.53.0
3.54.0
3.55.0
3.56.0
3.57.0
3.58.0
3.58.1
3.59.0
3.6.0
3.60.0
3.60.1
3.61.0
3.62.0
3.63.1
3.7.0
3.8.0
3.8.1
3.9.0
4.*
4.0.0
4.1.0
4.1.1
4.10.0
4.11.0
4.11.2
4.12.0
4.13.0
4.14.0
4.15.0
4.16.0
4.17.0
4.17.1
4.18.0
4.19.0
4.2.0
4.20.0
4.21.0
4.22.0
4.23.0
4.24.0
4.3.0
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
4.5.2
4.5.3
4.6.0
4.7.0
4.8.0
4.9.0
@apostrophecms/ai-helper@1.*
@apostrophecms/ai-helper@1.0.0-beta.11
@apostrophecms/apostrophe-astro@1.*
@apostrophecms/apostrophe-astro@1.10.0
@apostrophecms/apostrophe-astro@1.11.0
@apostrophecms/apostrophe-astro@1.12.0
@apostrophecms/apostrophe-astro@1.8.0
@apostrophecms/apostrophe-astro@1.9.0
@apostrophecms/cli@3.*
@apostrophecms/cli@3.6.0
@apostrophecms/cli@3.6.1
@apostrophecms/form@1.*
@apostrophecms/form@1.5.3
@apostrophecms/import-export@3.*
@apostrophecms/import-export@3.5.1
@apostrophecms/import-export@3.5.2
@apostrophecms/import-export@3.5.3
@apostrophecms/import-export@3.6.0
@apostrophecms/login-totp@1.*
@apostrophecms/login-totp@1.3.3
@apostrophecms/openapi-generator@1.*
@apostrophecms/openapi-generator@1.0.0
@apostrophecms/seo@1.*
@apostrophecms/seo@1.4.0
@apostrophecms/seo@1.4.1
@apostrophecms/seo@1.4.2
@apostrophecms/sitemap@1.*
@apostrophecms/sitemap@1.3.0
@apostrophecms/sitemap@1.4.0
apostrophe@4.*
apostrophe@4.25.0
apostrophe@4.26.0
apostrophe@4.28.0
apostrophe@4.29.0
apostrophe@4.30.0
apostrophecms-openapi@1.*
apostrophecms-openapi@1.1.0
launder@1.*
launder@1.7.1
postcss-viewport-to-container-toggle@2.*
postcss-viewport-to-container-toggle@2.2.0
postcss-viewport-to-container-toggle@2.3.0
sanitize-html@2.*
sanitize-html@2.17.1
sanitize-html@2.17.2
sanitize-html@2.17.3
sanitize-html@2.17.4
uploadfs@1.*
uploadfs@1.26.1
v0.*
v0.4.68

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53609.json"