CVE-2026-42853
Received Received - Intake
Command Injection in ApostropheCMS CLI

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-42853
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms cli to 3.6.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the @apostrophecms/cli package up to version 3.6.0, specifically in the apos create command. It is a command injection vulnerability where user input from the password prompt is directly embedded into a shell command without proper sanitization or escaping. This flaw allows an attacker to execute arbitrary commands on the host system.

Impact Analysis

The vulnerability can lead to arbitrary command execution on the host system where the ApostropheCMS CLI is run. This means an attacker could potentially run malicious commands, leading to compromise of system integrity, confidentiality, and availability.

Mitigation Strategies

Since no patched versions are available as of the publication date, immediate mitigation steps include avoiding the use of the vulnerable apos create command with untrusted input.

Restrict access to the @apostrophecms/cli package and ensure that only trusted users can execute commands that involve the password prompt.

Monitor and audit usage of the apos create command to detect any suspicious activity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42853. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart