Stored Cross-Site Scripting Vulnerability in ApostropheCMS by Apostrophe
CVE-2026-35569
8.7HIGH
What is CVE-2026-35569?
ApostropheCMS versions 4.28.0 and earlier are vulnerable to a stored cross-site scripting (XSS) attack through unencoded user input in SEO-related fields such as SEO Title and Meta Description. Attackers can exploit this vulnerability by injecting malicious scripts, potentially enabling them to execute arbitrary JavaScript in the browsers of authenticated users. This could facilitate unauthorized API requests, compromising sensitive user information such as usernames and email addresses. The issue is resolved in version 4.29.0, so upgrading is critical to maintaining security.
Affected Version(s)
apostrophe < 4.29.0