CVE-2026-35569: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in apostrophecms apostrophe
ApostropheCMS versions 4. 28. 0 and earlier contain a stored cross-site scripting (XSS) vulnerability in SEO-related fields where user input is not properly encoded before being rendered in HTML contexts. This allows an attacker to inject malicious JavaScript that executes in the browsers of authenticated users viewing the affected pages. The vulnerability enables attackers to perform authenticated API requests and access sensitive user data such as usernames, email addresses, and roles. The issue is fixed in version 4. 29. 0.
AI Analysis
Technical Summary
CVE-2026-35569 is a stored cross-site scripting vulnerability in ApostropheCMS (versions prior to 4.29.0) affecting SEO Title and Meta Description fields. User-controlled input is rendered without proper output encoding in HTML contexts including <title> tags, <meta> attributes, and JSON-LD structured data. This improper neutralization of input (CWE-79, CWE-116) allows injection of arbitrary JavaScript, which executes in the context of authenticated users. Exploitation can lead to authenticated API requests and unauthorized access to sensitive internal data. The vulnerability has a CVSS 3.1 score of 8.7 (high severity) and was fixed in version 4.29.0.
Potential Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of authenticated users, potentially leading to unauthorized API requests and exfiltration of sensitive information such as usernames, email addresses, and user roles. This compromises confidentiality and integrity of user data within ApostropheCMS instances running vulnerable versions.
Mitigation Recommendations
Upgrade ApostropheCMS to version 4.29.0 or later, where this vulnerability has been fixed. No other mitigations are specified or required once the update is applied.
CVE-2026-35569: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in apostrophecms apostrophe
Description
ApostropheCMS versions 4. 28. 0 and earlier contain a stored cross-site scripting (XSS) vulnerability in SEO-related fields where user input is not properly encoded before being rendered in HTML contexts. This allows an attacker to inject malicious JavaScript that executes in the browsers of authenticated users viewing the affected pages. The vulnerability enables attackers to perform authenticated API requests and access sensitive user data such as usernames, email addresses, and roles. The issue is fixed in version 4. 29. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35569 is a stored cross-site scripting vulnerability in ApostropheCMS (versions prior to 4.29.0) affecting SEO Title and Meta Description fields. User-controlled input is rendered without proper output encoding in HTML contexts including <title> tags, <meta> attributes, and JSON-LD structured data. This improper neutralization of input (CWE-79, CWE-116) allows injection of arbitrary JavaScript, which executes in the context of authenticated users. Exploitation can lead to authenticated API requests and unauthorized access to sensitive internal data. The vulnerability has a CVSS 3.1 score of 8.7 (high severity) and was fixed in version 4.29.0.
Potential Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of authenticated users, potentially leading to unauthorized API requests and exfiltration of sensitive information such as usernames, email addresses, and user roles. This compromises confidentiality and integrity of user data within ApostropheCMS instances running vulnerable versions.
Mitigation Recommendations
Upgrade ApostropheCMS to version 4.29.0 or later, where this vulnerability has been fixed. No other mitigations are specified or required once the update is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-03T20:09:02.826Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dfeeb382d89c981f94227d
Added to database: 4/15/2026, 8:01:55 PM
Last enriched: 4/15/2026, 8:16:49 PM
Last updated: 4/15/2026, 10:08:11 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.