CVE-2026-42853

MEDIUM

@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

Title source: cna

Description

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-hcwq-x9fw-8cfq

Scores

CVSS v3 6.5

EPSS 0.0043

EPSS Percentile 33.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

apostrophecms/@apostrophecms/cli <= 3.6.0

apostrophecms/cli 0 - 3.6.0npm

Published Jun 12, 2026

Tracked Since Jun 13, 2026