CVE-2026-53609
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
ApostropheCMS is a Node.js content management system that, in versions up to 4.30.0, allows unauthorized modifications to object prototypes by authenticated editors. The use of the `$pullAll` operator enables writing arbitrary values to `Object.prototype`, leading to authorization bypass on all REST API endpoints.
Risk Assessment
The organization may face serious security risks as unauthorized users could gain access to sensitive data or system functions. Potential exploitation of this vulnerability could lead to unauthorized changes in the application.
Recommendation
It is recommended to upgrade to the latest version of ApostropheCMS as soon as a patch is released. Additionally, consider implementing extra security measures such as monitoring and restricting access to the API.
Original NVD description (English source)
ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, `apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing an authenticated editor to write arbitrary values to `Object.prototype` via the `$pullAll` patch operator. A confirmed gadget in `publicApiCheck()` causes this to bypass authorization on all piece-type REST API endpoints for every subsequent unauthenticated request, for the lifetime of the Node.js process. As of time of publication, no known patched versions are available.

