CVE-2026-42853 MEDIUM

CVE-2026-42853: @apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

Vendor Apostrophecms

Product @apostrophecms/cli

Weakness CWE-78

Published June 12, 2026

Last update June 13, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Local

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available.

Key dates

02Disclosure timeline

June 12, 2026 CVE published

June 13, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-42853 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2026-42853: @apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

01Description

02Disclosure timeline

03References

04Related CVE