Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-42853

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-12 Jun, 2026 | 20:37
Updated At-12 Jun, 2026 | 20:37
Rejected At-
Credits

@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:12 Jun, 2026 | 20:37
Updated At:12 Jun, 2026 | 20:37
Rejected At:
▼CVE Numbering Authority (CNA)
@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available.

Affected Products
Vendor
apostrophecms
Product
@apostrophecms/cli
Versions
Affected
  • <= 3.6.0
Problem Types
TypeCWE IDDescription
CWECWE-78CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Type: CWE
CWE ID: CWE-78
Description: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-hcwq-x9fw-8cfq
x_refsource_CONFIRM
Hyperlink: https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-hcwq-x9fw-8cfq
Resource:
x_refsource_CONFIRM
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:12 Jun, 2026 | 21:16
Updated At:12 Jun, 2026 | 21:16

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-78Primarysecurity-advisories@github.com
CWE ID: CWE-78
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-hcwq-x9fw-8cfqsecurity-advisories@github.com
N/A
Hyperlink: https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-hcwq-x9fw-8cfq
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2024-8934
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.79%
||
7 Day CHG-0.00%
Published-31 Oct, 2024 | 12:44
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Beckhoff: Local command injection via TwinCAT Package Manager

A local user with administrative access rights can enter specialy crafted values for settings at the user interface (UI) of the TwinCAT Package Manager which then causes arbitrary OS commands to be executed.

Action-Not Available
Vendor-Beckhoff Automation GmbH & Co. KG
Product-TwinCAT Package Managertwincat_packet_manager
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2019-3595
Matching Score-4
Assigner-Trellix
ShareView Details
Matching Score-4
Assigner-Trellix
CVSS Score-2||LOW
EPSS-0.19% / 41.21%
||
7 Day CHG~0.00%
Published-24 Jul, 2019 | 14:28
Updated-04 Aug, 2024 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DLP Endpoint ePO extension not sanitizing CSV exports

Improper Neutralization of Special Elements used in a Command ('Command Injection') in ePO extension in McAfee Data Loss Prevention (DLP) 11.x prior to 11.3.0 allows Authenticated Adminstrator to execute arbitrary code with their local machine privileges via a specially crafted DLP policy, which is exported and opened on the their machine. In our checks, the user must explicitly allow the code to execute.

Action-Not Available
Vendor-McAfee, LLC
Product-data_loss_prevention_endpointDLP Endpoint ePO extension
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-29256
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.16% / 37.42%
||
7 Day CHG~0.00%
Published-25 May, 2022 | 21:20
Updated-23 Apr, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Possible vulnerability at 'npm install' time in sharp if an attacker has control over build environment

sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5.

Action-Not Available
Vendor-sharp_projectlovell
Product-sharpsharp
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-50377
Matching Score-4
Assigner-Nozomi Networks Inc.
ShareView Details
Matching Score-4
Assigner-Nozomi Networks Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.03% / 10.68%
||
7 Day CHG~0.00%
Published-26 Nov, 2024 | 10:57
Updated-23 Jan, 2026 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-798 "Use of Hard-coded Credentials" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability is associated to the backup configuration functionality that by default encrypts the archives using a static password.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-eki-6333ac-1gpo_firmwareeki-6333ac-2geki-6333ac-2g_firmwareeki-6333ac-1gpoeki-6333ac-2gdeki-6333ac-2gd_firmwareEKI-6333AC-1GPOEKI-6333AC-2GDEKI-6333AC-2Geki-6333ac-1gpo_firmwareeki-6333ac-2gd_firmwareeki-6333ac-2g_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-798
Use of Hard-coded Credentials
Details not found