CVE Catalog

CVE-2026-42853

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

34th percentile - higher than 34% of all known CVEs

Summary

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command, allowing execution of arbitrary commands on the host system.

Risk Assessment

Exploitation of this vulnerability could lead to unauthorized access and full control over the system, posing a serious security threat to the organization.

Recommendation

It is recommended to upgrade to a patched version and implement additional security measures to mitigate command injection risks.

Original NVD description (English source)

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS