Home/Product/apostrophecms
Product

apostrophecms

17 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-40186
all versions
ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions
6.1MEDIUM
 CVE-2026-39857
< 4.29.0
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulne
5.3MEDIUM
 CVE-2026-35569
< 4.29.0
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting
8.7HIGH
 CVE-2026-33889
< 4.29.0
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting
5.4MEDIUM
 CVE-2026-33888
< 4.29.0
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulne
5.3MEDIUM
 CVE-2026-33877
< 4.29.0
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnera
3.7LOW
 CVE-2026-32731
< 3.5.3
ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of @apostrophecms/import-export, The `extra
9.9CRITICAL
 CVE-2026-32730
< 4.28.0
ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware
8.1HIGH
 CVE-2014-125128
< 1.0.3
'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly va
6.1MEDIUM
 CVE-2019-25225
< 2.0.0
sanitize-html prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The sanitizeHtml() function in `index.j
6.1MEDIUM
 CVE-2024-21501
< 2.12.1
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the s
5.3MEDIUM
 CVE-2022-25887
< 2.7.1
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regul
5.3MEDIUM
 CVE-2021-25979
>= 2.63.0 and < 3.3.1
Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the pa
9.8CRITICAL
 CVE-2021-25978
>= 2.63.0 and <= 3.3.1
Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains mal
5.4MEDIUM
 CVE-2021-26540
< 2.3.2
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" op
5.3MEDIUM
 CVE-2021-26539
< 2.3.1
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow
5.3MEDIUM
 CVE-2016-1000237
< 1.4.3
sanitize-html before 1.4.3 has XSS.
6.1MEDIUM
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin