CVE-2026-35569

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.29.0

Description A stored cross-site scripting issue exists in SEO-related fields, specifically the SEO Title and Meta Description. User-controlled input is rendered without proper output encoding into HTML contexts, including tags, <meta> attributes, and JSON-LD structured data. This allows an attacker to inject and execute arbitrary JavaScript in the browser of authenticated users. This can be used to perform authenticated API requests to endpoints such as '/api/v1/@apostrophecms/user' and exfiltrate sensitive data, including usernames, email addresses, and roles, to an external server.

Recommendations Update to version 4.29.0.