CVE-2026-35569: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in apostrophecms apostrophe
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including <title> tags, <meta> attributes, and JSON-LD structured data. An attacker can inject a payload such as "></title><script>alert(1)</script> to break out of the intended HTML context and execute arbitrary JavaScript in the browser of any authenticated user who views the affected page. This can be leveraged to perform authenticated API requests, access sensitive data such as usernames, email addresses, and roles via internal APIs, and exfiltrate it to an attacker-controlled server. This issue has been fixed in version 4.29.0.
AI Analysis
Technical Summary
CVE-2026-35569 is a stored cross-site scripting vulnerability in ApostropheCMS (versions prior to 4.29.0) affecting SEO-related fields where user input is improperly neutralized during web page generation. The lack of proper output encoding in HTML contexts such as <title> tags, <meta> attributes, and JSON-LD structured data allows injection of arbitrary JavaScript. Exploitation requires an authenticated user to view the maliciously crafted content, enabling execution of scripts that can perform authenticated API requests and access sensitive internal data like usernames, emails, and roles.
Potential Impact
Successful exploitation can lead to execution of arbitrary JavaScript in the browsers of authenticated users, enabling attackers to perform authenticated API requests and access sensitive user data such as usernames, email addresses, and roles. This can result in data exfiltration and compromise of user accounts. The vulnerability does not affect availability but has high confidentiality and integrity impact.
Mitigation Recommendations
This vulnerability is fixed in ApostropheCMS version 4.29.0. Users should upgrade to version 4.29.0 or later to remediate the issue. Since this is not a cloud service, patching the affected software is required. No other vendor advisory or temporary mitigation is provided.
CVE-2026-35569: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in apostrophecms apostrophe
Description
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including <title> tags, <meta> attributes, and JSON-LD structured data. An attacker can inject a payload such as "></title><script>alert(1)</script> to break out of the intended HTML context and execute arbitrary JavaScript in the browser of any authenticated user who views the affected page. This can be leveraged to perform authenticated API requests, access sensitive data such as usernames, email addresses, and roles via internal APIs, and exfiltrate it to an attacker-controlled server. This issue has been fixed in version 4.29.0.
CVSS v3.1
Score 8.7high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35569 is a stored cross-site scripting vulnerability in ApostropheCMS (versions prior to 4.29.0) affecting SEO-related fields where user input is improperly neutralized during web page generation. The lack of proper output encoding in HTML contexts such as <title> tags, <meta> attributes, and JSON-LD structured data allows injection of arbitrary JavaScript. Exploitation requires an authenticated user to view the maliciously crafted content, enabling execution of scripts that can perform authenticated API requests and access sensitive internal data like usernames, emails, and roles.
Potential Impact
Successful exploitation can lead to execution of arbitrary JavaScript in the browsers of authenticated users, enabling attackers to perform authenticated API requests and access sensitive user data such as usernames, email addresses, and roles. This can result in data exfiltration and compromise of user accounts. The vulnerability does not affect availability but has high confidentiality and integrity impact.
Mitigation Recommendations
This vulnerability is fixed in ApostropheCMS version 4.29.0. Users should upgrade to version 4.29.0 or later to remediate the issue. Since this is not a cloud service, patching the affected software is required. No other vendor advisory or temporary mitigation is provided.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-03T20:09:02.826Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dfeeb382d89c981f94227d
Added to database: 4/15/2026, 8:01:55 PM
Last enriched: 5/15/2026, 9:23:55 AM
Last updated: 5/30/2026, 10:27:05 AM
Views: 72
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.