彙總 apostrophecms 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
已披露問題常與 跨站腳本與路徑處理缺陷 相關,可能在 生產負載與軟體部署 場景中帶來 工作階段劫持與檔案覆寫 等暴露風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-40186 | ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). ApostropheCMS version 4.28.0 is affected through its dependency on the vulnerable sanitize-html version. The code at packages/sanitize-html/index.js:569-573 incorrectly assumes that htmlparser2 does not decode | [email protected] | 6.1 | 0.03% | 2026-04-15 | 2026-04-25 |
| CVE-2026-39857 | ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct() operations that bypass the publicApiProjection restrictions intended to limit which fields are exposed publicly. The choices and counts parameters are processed via applyBuildersSafely before the projection is applied, and MongoDB's distinct opera | [email protected] | 5.3 | 0.04% | 2026-04-15 | 2026-04-20 |
| CVE-2026-35569 | ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including <title> tags, <meta> attributes, and JSON-LD structured data. An attacker can inject a payload such as "></title><script>alert(1)</script> to break out of the intended HTML context and execute arbitr | [email protected] | 8.7 | 0.03% | 2026-04-15 | 2026-04-30 |
| CVE-2026-33889 | ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without stripping HTML metacharacters. These unsanitized values are then concatenated directly into <style> tags both in per-widget style elements rendered | [email protected] | 5.4 | 0.03% | 2026-04-15 | 2026-04-20 |
| CVE-2026-33888 | ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request, which is processed by applyBuildersSafely before the permission check, | [email protected] | 5.3 | 0.09% | 2026-04-15 | 2026-04-20 |
| CVE-2026-33877 | ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, the handler returns after a fixed 2-second artificial delay, but when a valid user is found, it performs a MongoDB update and SMTP email send with no equivalent delay normalization, producing measurabl | [email protected] | 3.7 | 0.03% | 2026-04-15 | 2026-04-20 |
| CVE-2026-32731 | ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`, The `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name))`. `path.join()` does not resolve or sanitise traversal segments such as `../`. It concatenates them as-is, meaning a tar entry named `../../evil.js` resolves to a path outside the intended extraction directory. No canonical-path check is performed be | [email protected] | 9.9 | 0.06% | 2026-03-18 | 2026-03-24 |
| CVE-2026-32730 | ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or an | [email protected] | 8.1 | 0.06% | 2026-03-18 | 2026-03-24 |
| CVE-2014-125128 | 'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly validate the hyperreference (`href`) attribute in anchor tags (`<a>`), allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings. | 596c5446-0ce5-4ba2-aa66-48b3b757a647 | 6.1 | 0.07% | 2025-09-08 | 2025-09-19 |
| CVE-2019-25225 | `sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code. | 596c5446-0ce5-4ba2-aa66-48b3b757a647 | 6.1 | 0.07% | 2025-09-08 | 2025-09-19 |
| CVE-2024-21501 | Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server. | [email protected] | 5.3 | 1.81% | 2024-02-24 | 2025-04-25 |
| CVE-2022-25887 | The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal. | [email protected] | 5.3 | 0.10% | 2022-08-30 | 2024-11-21 |
| CVE-2021-25979 | Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session. | [email protected] | 9.8 | 0.36% | 2021-11-08 | 2024-11-21 |
| CVE-2021-25978 | Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed. | [email protected] | 5.4 | 0.28% | 2021-11-07 | 2024-11-21 |
| CVE-2021-26540 | Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\example.com". | [email protected] | 5.3 | 0.29% | 2021-02-08 | 2024-11-21 |
| CVE-2021-26539 | Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option. | [email protected] | 5.3 | 0.29% | 2021-02-08 | 2024-11-21 |
| CVE-2016-1000237 | sanitize-html before 1.4.3 has XSS. | [email protected] | 6.1 | 0.24% | 2020-01-23 | 2024-11-21 |