Please help us keep all ApostropheCMS projects safe. If you become aware of a security vulnerability in ApostropheCMS or any official modules, please contact us via email at security@apostrophecms.com.
Security: apostrophecms/apostrophe
Security
SECURITY.md
-
Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMSGHSA-855c-r2vq-c292 published
Apr 15, 2026 by boutellHigh -
Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field RestrictionsGHSA-c276-fj82-f2pq published
Apr 15, 2026 by boutellModerate -
sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags ElementsGHSA-9mrh-v2v3-xpfm published
Apr 15, 2026 by boutellModerate -
Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag ContextGHSA-97v6-998m-fp4g published
Apr 15, 2026 by boutellModerate -
publicApiProjection Bypass via `project` Query Builder in Piece-Type REST APIGHSA-xhq9-58fw-859p published
Apr 15, 2026 by boutellModerate -
User Enumeration via Timing Side Channel in Password Reset EndpointGHSA-mj7r-x3h3-7rmr published
Apr 15, 2026 by boutellLow -
Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip ExtractionGHSA-mwxc-m426-3f78 published
Mar 18, 2026 by BoDonkeyCritical -
MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token MiddlewareGHSA-v9xm-ffx2-7h35 published
Mar 18, 2026 by BoDonkeyCritical
Learn more about advisories related to apostrophecms/apostrophe in the GitHub Advisory Database