apostrophe (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package apostrophe, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (11)
CVE-2021-25979 — CVSS 9.8 (critical): Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password…
CVE-2026-35569 — CVSS 8.7 (high): ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting…
CVE-2026-32730 — CVSS 8.1 (high): ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in…
CVE-2026-45013 — CVSS 8.1 (high): ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that…
CVE-2026-45012 — CVSS 7.6 (high): ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 contain an authenticated server-side…
CVE-2026-45011 — CVSS 7.3 (high): ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the…
CVE-2026-33889 — CVSS 5.4 (medium): ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting…
CVE-2021-25978 — CVSS 5.4 (medium): Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious…
CVE-2026-39857 — CVSS 5.3 (medium): ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability…
CVE-2026-33888 — CVSS 5.3 (medium): ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability…
CVE-2026-33877 — CVSS 3.7 (low): ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in…