CVE-2026-35569
Published: 15 April 2026
Summary
CVE-2026-35569 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Apostrophecms Apostrophecms. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-35569 is a stored cross-site scripting (XSS) vulnerability affecting ApostropheCMS, an open-source Node.js content management system. Versions 4.28.0 and prior fail to properly encode user-controlled input in SEO-related fields, such as SEO Title and Meta Description. This input is rendered into HTML contexts including <title> tags, <meta> attributes, and JSON-LD structured data without adequate output encoding, allowing attackers to inject payloads like "></title><script>alert(1)</script>" to escape the intended context.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) by injecting a malicious payload into the affected SEO fields. When another authenticated user views the page (UI:R), the payload executes arbitrary JavaScript in their browser, achieving high confidentiality and integrity impacts (C:H/I:H) with a changed scope (S:C). This enables the attacker to perform authenticated API requests on behalf of the victim, accessing sensitive data such as usernames, email addresses, and user roles via internal APIs, and exfiltrating it to an attacker-controlled server. The vulnerability is rated 8.7 on the CVSS 3.1 scale and maps to CWE-79 (XSS) and CWE-116 (Improper Encoding).
The issue has been addressed in ApostropheCMS version 4.29.0, as detailed in the project's GitHub security advisory (GHSA-855c-r2vq-c292) and the fixing commit (0e57dd07a56ae1ba1e3af646ba026db4d0ab5bb3), which implement proper output encoding for the affected fields. Security practitioners should upgrade to 4.29.0 or later and review any stored SEO content for malicious payloads. Additional details are available in the referenced CVE research repository.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23106
Vulnerability details
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including <title>…
more
tags, <meta> attributes, and JSON-LD structured data. An attacker can inject a payload such as "></title><script>alert(1)</script> to break out of the intended HTML context and execute arbitrary JavaScript in the browser of any authenticated user who views the affected page. This can be leveraged to perform authenticated API requests, access sensitive data such as usernames, email addresses, and roles via internal APIs, and exfiltrate it to an attacker-controlled server. This issue has been fixed in version 4.29.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables arbitrary JS execution in victim's browser, directly facilitating session hijacking to act as victim (T1185) and exfiltration of data (usernames, emails, roles) to attacker server via web service (T1567).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the improper output encoding of user-controlled SEO fields by requiring filtering and encoding before rendering into HTML contexts like title tags and meta attributes to prevent XSS payload execution.
Validates and sanitizes user inputs in SEO fields upon entry to block malicious payloads like script tags from being stored in the CMS database.
Ensures timely remediation of the specific XSS flaw by applying the patch in ApostropheCMS version 4.29.0 that implements proper output encoding.