MEDIUM 5.4 npm
GHSA-4r9c-jghc-cx5m · CVE-2021-25978 Cross-site Scripting in apostrophe
Modified: 11/8/2023
package
npm / apostrophe
pkg:npm/apostrophe
HIGH 7.3 npm
GHSA-5f64-7vfc-rcx6 · CVE-2026-45011 Apostrophe has stored XSS via javascript: URL in Image Widget Link
Modified: 6/12/2026
HIGH 8.7 npm
GHSA-855c-r2vq-c292 · CVE-2026-35569 Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS
Modified: 5/5/2026
MEDIUM 5.4 npm
GHSA-97v6-998m-fp4g · CVE-2026-33889 ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context
Modified: 4/16/2026
CRITICAL 9.8 npm
GHSA-9j9m-8wjc-ff96 · CVE-2021-25979 Apostrophe CMS Insufficient Session Expiration vulnerability
Modified: 11/8/2023
MEDIUM 5.3 npm
GHSA-c276-fj82-f2pq · CVE-2026-39857 ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions
Modified: 4/16/2026
HIGH 8.1 npm
GHSA-gf43-24g3-5hw2 · CVE-2026-45013 Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation
Modified: 6/12/2026
MEDIUM npm
GHSA-h97g-4mx7-5p2p Open Redirect in apostrophe
Modified: 9/28/2021
LOW 3.7 npm
GHSA-mj7r-x3h3-7rmr · CVE-2026-33877 ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint
Modified: 4/16/2026
HIGH 7.6 npm
GHSA-pr28-mf3q-qpg6 · CVE-2026-45012 Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget
Modified: 6/12/2026
LOW npm
GHSA-pv6r-vchh-cxg9 Denial of Service in apostrophe
Modified: 8/31/2020
HIGH 8.1 npm
GHSA-v9xm-ffx2-7h35 · CVE-2026-32730 ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
Modified: 3/19/2026
MEDIUM 5.3 npm
GHSA-xhq9-58fw-859p · CVE-2026-33888 ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API
Modified: 4/16/2026