Home / Vulnerability Intelligence / CVE-2026-35569

CVE-2026-35569 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: April 15, 2026

ApostropheCMS - Stored XSS

Published: April 15, 2026Updated: April 15, 2026Remote Exploitable

Overview

ApostropheCMS <= 4.28.0 contains a stored XSS caused by improper output encoding in SEO Title and Meta Description fields, letting attackers execute arbitrary JavaScript in authenticated users' browsers, exploit requires user authentication.

Severity & Score

Severity: High

CVSS Score: 8.7

Impact

Authenticated attackers can execute arbitrary JavaScript, access sensitive data, and perform authenticated API requests.

Mitigation

Upgrade to version 4.29.0 or later.

References

https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-855c-r2vq-c292
https://github.com/apostrophecms/apostrophe/commit/0e57dd07a56ae1ba1e3af646ba026db4d0ab5bb3

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-35569
Severity: High
CVSS Score: 8.7
Type: stored_xss
Status: new

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N