Please help us keep all ApostropheCMS projects safe. If you become aware of a security vulnerability in ApostropheCMS or any official modules, please contact us via email at security@apostrophecms.com.
Security: apostrophecms/apostrophe
Security
SECURITY.md
-
Server-Side Prototype Pollution in apos.util.set via patch operators leads to process-wide authorization bypassGHSA-6h5j-32cf-4253 published
Jun 11, 2026 by boutellCritical -
Stored XSS via Unsanitized Google Analytics / GTM ID Injected into Script TagGHSA-wf43-fpp3-cf65 published
Jun 11, 2026 by boutellHigh -
Unauthenticated SSRF in @apostrophecms/file pretty-URL via Host headerGHSA-34pj-2622-jvxq published
Jun 11, 2026 by boutellLow -
Incomplete URI scheme validation in sanitize-html allows javascript: URIs through action, formaction, data, poster, and background attributesGHSA-vccv-cmxp-4j9h published
Jun 11, 2026 by boutellModerate -
Stored Cross-Site Scripting via Unsanitized User Display Name in Draft Version TooltipGHSA-hvx2-4ghc-j37m published
May 13, 2026 by boutellHigh -
Default XSS via `xmp` raw-text passthrough in `sanitize-html`GHSA-rpr9-rxv7-x643 published
May 13, 2026 by boutellCritical -
Stored XSS via javascript: URL in Image Widget LinkGHSA-5f64-7vfc-rcx6 published
May 13, 2026 by boutellHigh -
Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation in apostropheGHSA-gf43-24g3-5hw2 published
May 13, 2026 by boutellHigh -
Command Injection in apos create via Unsanitized Password Input (CWE-78)GHSA-hcwq-x9fw-8cfq published
May 13, 2026 by boutellModerate -
Authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widgetGHSA-pr28-mf3q-qpg6 published
May 13, 2026 by boutellHigh
Learn more about advisories related to apostrophecms/apostrophe in the GitHub Advisory Database