CRITICAL9.8CVE-2021-25979Apostrophe CMS Insufficient Session Expiration vulnerability >= 2.63.0, < 3.4.0
HIGH8.7CVE-2026-35569Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS from 0, < 4.29.0
HIGH8.1Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation
from 0, <= 4.29.0
HIGH8.1ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
from 0, < 4.28.0
HIGH7.6Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget
from 0, <= 4.29.0
HIGH7.3Apostrophe has stored XSS via javascript: URL in Image Widget Link
MEDIUM5.4ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context
from 0, < 4.29.0
MEDIUM5.4Cross-site Scripting in apostrophe
>= 2.63.0, < 3.4.0
MEDIUM5.3ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions
from 0, < 4.29.0
MEDIUM5.3ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API
from 0, < 4.29.0
LOW3.7ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint
from 0, < 4.29.0