CVE-2026-53609
Apostrophe has Server-Side Prototype Pollution in apos.util.set via patch operators that leads to process-wide authorization bypass
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th
ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, `apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing an authenticated editor to write arbitrary values to `Object.prototype` via the `$pullAll` patch operator. A confirmed gadget in `publicApiCheck()` causes this to bypass authorization on all piece-type REST API endpoints for every subsequent unauthenticated request, for the lifetime of the Node.js process. As of time of publication, no known patched versions are available.
| CWE | CWE-1321 |
| Vendor | apostrophecms |
| Product | apostrophe |
| Published | Jun 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for apostrophecms apostrophe
Be the first to know when new critical vulnerabilities affecting apostrophecms apostrophe are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low
Affected Versions
apostrophecms / apostrophe
<= 4.30.0