@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

Severity:: Medium

Description

Summary

The @apostrophecms/cli package contains a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system.

Recommendation

No fix is available yet. Followings are affected versions:

<= 3.6.0

References

GHSA-hcwq-x9fw-8cfq
CVE-2026-42853
CWE-78
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation - CVE-2026-26318
jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755
Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - CVE-2026-26280
Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection - CVE-2026-44724

How do hackers hack websites?

SmartScanner 2.3: Smarter JavaScript Detection, Faster Scans, and Powerful CLI Enhancements

Update Cheat Sheet for Developers

Tags:: npm; @apostrophecms/cli

Anything's wrong? Let us know Last updated on May 14, 2026