Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS

Severity:: High

Description

A stored cross-site scripting (XSS) vulnerability exists in SEO-related fields (SEO Title and Meta Description) in ApostropheCMS.

Improper neutralization of user-controlled input in SEO-related fields allows injection of arbitrary JavaScript into HTML contexts, resulting in stored cross-site scripting (XSS).

Recommendation

Update the apostrophe package to the latest compatible version. Followings are version details:

Affected version(s): <= 4.28.0
Patched version(s): 4.29.0

References

GHSA-855c-r2vq-c292
CVE-2026-35569
CWE-116
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context - CVE-2026-33889
dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration - CVE-2026-34725
Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover - @haxtheweb/video-player - CVE-2026-46396
ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API - CVE-2026-33888

How to Secure your NodeJs Express Javascript Application - part 1

CSRF, XXE, and 12 Other Security Acronyms Explained

How do hackers hack websites?

Tags:: npm; apostrophe

Anything's wrong? Let us know Last updated on April 30, 2026