CVE-2026-35569
Stored XSS in ApostropheCMS SEO Fields Allows Data Theft
Publication date: 2026-04-15
Last updated on: 2026-04-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apostrophecms | apostrophecms | to 4.29.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35569 is a stored cross-site scripting (XSS) vulnerability in ApostropheCMS, an open-source Node.js content management system. It affects versions 4.28.0 and earlier, specifically in SEO-related fields such as the SEO Title and Meta Description.
The vulnerability occurs because user-controlled input in these fields is rendered without proper output encoding in HTML contexts like <title> tags, <meta> attributes, and JSON-LD structured data. This allows an attacker to inject malicious JavaScript payloads that execute in the browsers of authenticated users who view the affected pages.
For example, an attacker can insert a payload like "> </title><script>alert(1)</script>" to break out of the intended HTML context and run arbitrary scripts.
This vulnerability enables attackers to perform authenticated API requests, access sensitive data such as usernames, email addresses, and user roles via internal APIs, and exfiltrate this information to attacker-controlled servers.
The issue has been fixed in ApostropheCMS version 4.29.0 by introducing a safe JSON serialization mechanism and improving template rendering to properly escape user input.
How can this vulnerability impact me? :
This vulnerability can have serious impacts if exploited in your ApostropheCMS installation.
- Arbitrary JavaScript execution in the browser of authenticated users, including administrators.
- Execution of authenticated API requests using the victim's session, allowing attackers to perform actions with the victim's privileges.
- Access to sensitive internal data such as usernames, email addresses, and user roles, including administrative roles.
- Exfiltration of sensitive data to attacker-controlled servers, compromising confidentiality.
Overall, exploitation can lead to a compromise of application confidentiality and integrity, potentially allowing attackers to control or manipulate the CMS environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting ApostropheCMS pages or content for malicious payloads injected into SEO-related fields such as SEO Title and Meta Description. Specifically, look for suspicious strings that break out of HTML contexts, for example payloads containing sequences like "></title><script> or similar script tags.
On the system, you can search the database or content storage for these suspicious payloads by querying for patterns that include script tags or unusual HTML sequences in SEO fields.
- Example command to search for suspicious payloads in a database (assuming a MongoDB backend used by ApostropheCMS):
- db.pages.find({ $or: [ { seoTitle: /<script>/i }, { metaDescription: /<script>/i } ] })
- Alternatively, grep or search exported content files for suspicious strings:
- grep -r -i '<script>' /path/to/apostrophe/content
Network detection could involve monitoring HTTP traffic for suspicious payloads or exfiltration attempts, such as unusual requests to attacker-controlled domains triggered by injected scripts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade ApostropheCMS and the @apostrophecms/seo module to version 4.29.0 or later, where this vulnerability has been fixed.
If immediate upgrade is not possible, restrict access to the CMS to trusted users only, especially limiting who can edit SEO-related fields.
Review and sanitize existing SEO Title and Meta Description fields to remove any injected malicious scripts or suspicious payloads.
Monitor for unusual activity such as unexpected API requests or data exfiltration attempts that could indicate exploitation.
Apply web application firewall (WAF) rules to detect and block common XSS payload patterns targeting SEO fields.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary JavaScript in the browsers of authenticated users, including administrators, which can lead to unauthorized access and exfiltration of sensitive data such as usernames, email addresses, and user roles.
This unauthorized access and data exfiltration can compromise the confidentiality of personal and sensitive information, potentially violating data protection regulations such as GDPR and HIPAA that require safeguarding personal data against unauthorized access and breaches.
Therefore, exploitation of this vulnerability could lead to non-compliance with these common standards and regulations due to the risk of data breaches and exposure of protected information.