AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-42853: ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and

mediumvulnerability

security

Source: NVD/CVE DatabaseJune 12, 2026CVE-2026-42853

Summary

ApostropheCMS versions up to 3.6.0 contain a command injection vulnerability (CWE-78, a weakness where user input is directly used in system commands without cleaning) in the @apostrophecms/cli package's apos create command. An attacker can input malicious commands through the password prompt that will execute on the host system because the input is not properly sanitized (cleaned of dangerous characters) before being used in a shell command.

Vulnerability Details

CVSS Score

6.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Attack Vector

local

Attack Complexity

low

Privileges Required

high

User Interaction

required

Disclosure Date

June 12, 2026

Classification

Attack SophisticationTrivial

Taxonomy References

CWE (Weakness Type)

CWE-78

CAPEC (Attack Pattern)

CAPEC-88

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42853

First tracked: June 12, 2026 at 08:09 PM

Classified by LLM (prompt v3) · confidence: 95%