EXECUTIVE SUMMARY:
CVE-2026-35569 with a CVSS score of 8.7 is a Stored Cross-Site Scripting (XSS) vulnerability in SEO-related fields (SEO Title and Meta Description) in ApostropheCMS, affecting versions <= 4.28.0. The vulnerability arises from the improper neutralization of user-controlled input in SEO-related fields, which allows an attacker to inject arbitrary JavaScript into HTML contexts, including <title> tags, <meta> attributes, and JSON-LD structured data. An attacker can exploit this vulnerability by injecting a malicious payload into the SEO Title field, which can be leveraged to perform authenticated API requests, access sensitive data such as usernames, email addresses, and roles via internal APIs, and exfiltrate it to an attacker-controlled server. This issue allows an attacker to execute arbitrary JavaScript in an authenticated admin context, perform authenticated API requests (session riding), access sensitive application data via internal APIs, and exfiltrate sensitive data to an external attacker-controlled server. If exploited, this vulnerability can result in a significant compromise of application confidentiality, leading to unauthorized data access and potential financial losses. The vulnerability can be exploited by an authenticated user with LOW privileges, requiring only LOW complexity and USER INTERACTION.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-35569 with a CVSS score of 8.7 is a Stored Cross-Site Scripting (XSS) vulnerability in SEO-related fields (SEO Title and Meta Description) in ApostropheCMS, affecting versions <= 4.28.0. The vulnerability arises from the improper neutralization of user-controlled input in SEO-related fields, which allows an attacker to inject arbitrary JavaScript into HTML contexts, including <title> tags, <meta> attributes, and JSON-LD structured data. An attacker can exploit this vulnerability by injecting a malicious payload into the SEO Title field, which can be leveraged to perform authenticated API requests, access sensitive data such as usernames, email addresses, and roles via internal APIs, and exfiltrate it to an attacker-controlled server. This issue allows an attacker to execute arbitrary JavaScript in an authenticated admin context, perform authenticated API requests (session riding), access sensitive application data via internal APIs, and exfiltrate sensitive data to an external attacker-controlled server. If exploited, this vulnerability can result in a significant compromise of application confidentiality, leading to unauthorized data access and potential financial losses. The vulnerability can be exploited by an authenticated user with LOW privileges, requiring only LOW complexity and USER INTERACTION.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update apostrophe to version 4.29.0.
REFERENCES:
The following reports contain further technical details:
[/emaillocker]