Please help us keep all ApostropheCMS projects safe. If you become aware of a security vulnerability in ApostropheCMS or any official modules, please contact us via email at security@apostrophecms.com.
Security: apostrophecms/apostrophe
Security
SECURITY.md
-
Stored Cross-Site Scripting via Unsanitized User Display Name in Draft Version TooltipGHSA-hvx2-4ghc-j37m published
May 13, 2026 by boutellHigh -
Default XSS via `xmp` raw-text passthrough in `sanitize-html`GHSA-rpr9-rxv7-x643 published
May 13, 2026 by boutellCritical -
Stored XSS via javascript: URL in Image Widget LinkGHSA-5f64-7vfc-rcx6 published
May 13, 2026 by boutellHigh -
Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation in apostropheGHSA-gf43-24g3-5hw2 published
May 13, 2026 by boutellHigh -
Command Injection in apos create via Unsanitized Password Input (CWE-78)GHSA-hcwq-x9fw-8cfq published
May 13, 2026 by boutellModerate -
Authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widgetGHSA-pr28-mf3q-qpg6 published
May 13, 2026 by boutellHigh -
Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMSGHSA-855c-r2vq-c292 published
Apr 15, 2026 by boutellHigh -
Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field RestrictionsGHSA-c276-fj82-f2pq published
Apr 15, 2026 by boutellModerate -
sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags ElementsGHSA-9mrh-v2v3-xpfm published
Apr 15, 2026 by boutellModerate -
Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag ContextGHSA-97v6-998m-fp4g published
Apr 15, 2026 by boutellModerate
Learn more about advisories related to apostrophecms/apostrophe in the GitHub Advisory Database