CVE-2026-42853
Deferred Deferred - Pending Action

Command Injection in ApostropheCMS CLI

Vulnerability report for CVE-2026-42853, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-15
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-01
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms cli to 3.6.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the @apostrophecms/cli package up to version 3.6.0, specifically in the apos create command. It is a command injection vulnerability where user input from the password prompt is directly embedded into a shell command without proper sanitization or escaping. This flaw allows an attacker to execute arbitrary commands on the host system.

Impact Analysis

The vulnerability can lead to arbitrary command execution on the host system where the ApostropheCMS CLI is run. This means an attacker could potentially run malicious commands, leading to compromise of system integrity, confidentiality, and availability.

Mitigation Strategies

Since no patched versions are available as of the publication date, immediate mitigation steps include avoiding the use of the vulnerable apos create command with untrusted input.

Restrict access to the @apostrophecms/cli package and ensure that only trusted users can execute commands that involve the password prompt.

Monitor and audit usage of the apos create command to detect any suspicious activity.

Compliance Impact

The vulnerability allows execution of arbitrary commands on the host system due to command injection in the ApostropheCMS CLI. This can lead to unauthorized access, data breaches, and potential compromise of sensitive information.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Detection Guidance

This vulnerability can be detected by attempting to exploit the command injection in the `apos create` command of the @apostrophecms/cli package. Specifically, you can test the password prompt input for injection of shell metacharacters.

A suggested command to test for this vulnerability is to run the `apos create` command and enter a malicious payload at the password prompt, such as:

  • "; id > /tmp/apos_rce_proof.txt; echo "

If the file `/tmp/apos_rce_proof.txt` is created and contains the output of the `id` command, this confirms the presence of the command injection vulnerability.

Note that this test requires local access to the system where the @apostrophecms/cli is installed and the ability to run the `apos create` command.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42853. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart