Security: apostrophecms/apostrophe
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Stored Cross-Site Scripting via Unsanitized User Display Name in Draft Version TooltipGHSA-hvx2-4ghc-j37m published
May 13, 2026 by boutellHigh -
Default XSS via `xmp` raw-text passthrough in `sanitize-html`GHSA-rpr9-rxv7-x643 published
May 13, 2026 by boutellCritical -
Stored XSS via javascript: URL in Image Widget LinkGHSA-5f64-7vfc-rcx6 published
May 13, 2026 by boutellHigh -
Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation in apostropheGHSA-gf43-24g3-5hw2 published
May 13, 2026 by boutellHigh -
Command Injection in apos create via Unsanitized Password Input (CWE-78)GHSA-hcwq-x9fw-8cfq published
May 13, 2026 by boutellModerate -
Authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widgetGHSA-pr28-mf3q-qpg6 published
May 13, 2026 by boutellHigh -
Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMSGHSA-855c-r2vq-c292 published
Apr 15, 2026 by boutellHigh -
Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field RestrictionsGHSA-c276-fj82-f2pq published
Apr 15, 2026 by boutellModerate -
sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags ElementsGHSA-9mrh-v2v3-xpfm published
Apr 15, 2026 by boutellModerate -
Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag ContextGHSA-97v6-998m-fp4g published
Apr 15, 2026 by boutellModerate