cvedb.io
CVE-2026-39857
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2026-04-15T20:16:36.567 · Last modified 2026-06-17T10:42:42.587

Summary

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct() operations that bypass the publicApiProjection restrictions intended to limit which fields are exposed publicly. The choices and counts parameters are processed via applyBuildersSafely before the projection is applied, and MongoDB's distinct operation does not respect projections, returning all distinct values directly. The results are returned in the API response without any filtering against publicApiProjection or removeForbiddenFields. An unauthenticated attacker can extract all distinct field values for any schema field type that has a r

Affected products

apostrophecms — apostrophecms

Does this affect you?

Add your gear to cvedb and we'll alert you only when apostrophecms ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.