CVE-2026-42853

MEDIUM(6.5)

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Risk Signal Score21/100 — NIEDRIG

CVSS 6.5 — Mittel

EPSS-Score

Exploit-Wahrscheinlichkeit (30 Tage)

CVSS Score

6.5

Technische Schwere

Beschreibung

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available.

GitHub Advisories

GHSA-hcwq-x9fw-8cfqMEDIUM

@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

npm/@apostrophecms/cli

GitHub Advisory

Referenzen

https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-hcwq-x9fw-8...
https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-hcwq-x9fw-8...