Cyber Resilience

CVE-2026-35569

HighPublic PoC

Published: 15 April 2026

Published
15 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0030 21.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35569 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Apostrophecms Apostrophecms. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35569 is a stored cross-site scripting (XSS) vulnerability affecting ApostropheCMS, an open-source Node.js content management system. Versions 4.28.0 and prior fail to properly encode user-controlled input in SEO-related fields, such as SEO Title and Meta Description. This input is rendered into HTML contexts including <title> tags, <meta> attributes, and JSON-LD structured data without adequate output encoding, allowing attackers to inject payloads like "></title><script>alert(1)</script>" to escape the intended context.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) by injecting a malicious payload into the affected SEO fields. When another authenticated user views the page (UI:R), the payload executes arbitrary JavaScript in their browser, achieving high confidentiality and integrity impacts (C:H/I:H) with a changed scope (S:C). This enables the attacker to perform authenticated API requests on behalf of the victim, accessing sensitive data such as usernames, email addresses, and user roles via internal APIs, and exfiltrating it to an attacker-controlled server. The vulnerability is rated 8.7 on the CVSS 3.1 scale and maps to CWE-79 (XSS) and CWE-116 (Improper Encoding).

The issue has been addressed in ApostropheCMS version 4.29.0, as detailed in the project's GitHub security advisory (GHSA-855c-r2vq-c292) and the fixing commit (0e57dd07a56ae1ba1e3af646ba026db4d0ab5bb3), which implement proper output encoding for the affected fields. Security practitioners should upgrade to 4.29.0 or later and review any stored SEO content for malicious payloads. Additional details are available in the referenced CVE research repository.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including <title>…

more

tags, <meta> attributes, and JSON-LD structured data. An attacker can inject a payload such as "></title><script>alert(1)</script> to break out of the intended HTML context and execute arbitrary JavaScript in the browser of any authenticated user who views the affected page. This can be leveraged to perform authenticated API requests, access sensitive data such as usernames, email addresses, and roles via internal APIs, and exfiltrate it to an attacker-controlled server. This issue has been fixed in version 4.29.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1567 Exfiltration Over Web Service Exfiltration
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.
Why these techniques?

Stored XSS enables arbitrary JS execution in victim's browser, directly facilitating session hijacking to act as victim (T1185) and exfiltration of data (usernames, emails, roles) to attacker server via web service (T1567).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32730Same product: Apostrophecms Apostrophecms
CVE-2025-0595Shared CWE-79
CVE-2026-48209Shared CWE-116, CWE-79
CVE-2026-32731Same vendor: Apostrophecms
CVE-2026-35455Shared CWE-79
CVE-2026-25932Shared CWE-116, CWE-79
CVE-2026-32754Shared CWE-116, CWE-79
CVE-2026-9024Shared CWE-79
CVE-2026-35534Shared CWE-116, CWE-79
CVE-2025-24412Shared CWE-79

Affected Assets

apostrophecms
apostrophecms
≤ 4.29.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper output encoding of user-controlled SEO fields by requiring filtering and encoding before rendering into HTML contexts like title tags and meta attributes to prevent XSS payload execution.

prevent

Validates and sanitizes user inputs in SEO fields upon entry to block malicious payloads like script tags from being stored in the CMS database.

prevent

Ensures timely remediation of the specific XSS flaw by applying the patch in ApostropheCMS version 4.29.0 that implements proper output encoding.

References