CVE-2026-42853 | THREATINT

Description

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available.

PUBLISHED Reserved 2026-04-30 | Published 2026-06-12 | Updated 2026-06-13 | Assigner GitHub_M

MEDIUM: 6.5CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

<= 3.6.0

affected

References

github.com/...trophe/security/advisories/GHSA-hcwq-x9fw-8cfq exploit

github.com/...trophe/security/advisories/GHSA-hcwq-x9fw-8cfq

cve.org (CVE-2026-42853)

nvd.nist.gov (CVE-2026-42853)

Download JSON