CVE-2026-42853
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk34th percentile - higher than 34% of all known CVEs
Summary
ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command, allowing execution of arbitrary commands on the host system.
Risk Assessment
Exploitation of this vulnerability could lead to unauthorized access and full control over the system, posing a serious security threat to the organization.
Recommendation
It is recommended to upgrade to a patched version and implement additional security measures to mitigate command injection risks.
Original NVD description (English source)
ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available.

