CVE-2026-42853 - Vulnerability Details

- @apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

Description

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available.

Published: 2026-06-12

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the @apostrophecms/cli package where the apos create command incorporates user-supplied password input directly into a shell command without sanitization. This flaw is a classic command injection (CWE‑78) that could let an attacker run arbitrary shell commands on the server hosting the CMS. If an attacker can trigger the password prompt, they could potentially gain full system compromise, affecting confidentiality, integrity, and availability.

Affected Systems

ApostropheCMS, specifically the @apostrophecms/cli component, in all releases up to and including 3.6.0. The issue impacts Node.js environments where the CLI is used to initialize new sites.

Risk and Exploitability

The published CVSS score of 6.5 reflects a moderate severity, but being a command‑level injection, the real damage potential is high if the CLI is exposed. EPSS below 1% indicates that exploitation is considered unlikely currently, yet the flaw exists and is not in the KEV catalog. Based on the description, it is inferred that because the input is taken from a password prompt, the attack vector is local or remote depending on who can supply the input; for remote systems the exposure requires the attacker to have some ability to invoke the CLI, which may be restricted but still poses a risk if privilege escalation is possible.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

apostrophecms

@apostrophecms/cli

affected

Version	Status	Constraints
`<= 3.6.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Remove or disable the @apostrophecms/cli package from the production environment until a fixed version is released
If the CLI must be used, isolate its execution in a sandboxed container that restricts shell access
Use a password policy that rejects input containing shell metacharacters when using the apos create command

Generated by OpenCVE AI on June 12, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-hcwq-x9fw-8cfq	@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-hcwq-x9fw-8cfq

History

Sat, 13 Jun 2026 04:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 12 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available.
Title		@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input
Weaknesses		CWE-78
References		https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-hcwq-x9fw-8cfq
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-12T20:37:00.522Z

Updated: 2026-06-13T03:34:34.865Z

Reserved: 2026-04-30T16:44:48.378Z

Link: CVE-2026-42853

Vulnrichment

Updated: 2026-06-13T03:34:29.102Z

NVD

Status : Received

Published: 2026-06-12T21:16:21.300

Modified: 2026-06-13T04:17:15.230

Link: CVE-2026-42853

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T23:00:08Z

Weaknesses

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object