What is the severity of CVE-2026-42853?

CVE-2026-42853 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-42853?

No known public exploits are currently available for CVE-2026-42853.

Is there a patch available for CVE-2026-42853?

No official patches have been released yet for CVE-2026-42853. Consider implementing workarounds or mitigations.

CVE-2026-42853 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

No

Patch

Medium Priority

no patch

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

The @apostrophecms/cli package contains a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system.

━━━━━━━━━━━━━━━━━━━━━━

Details

Vulnerable file: lib/commands/create.js Location: Line 186

The CLI collects a password using an interactive prompt and passes it directly into a shell command.

Vulnerable code:

const response = await prompts({ type: 'password', name: 'pw', message: '🔏 Please enter a password:' });

exec(echo "${response.pw}" | ${createUserCommand});

The value of response.pw is not validated, sanitized, or escaped before being used in exec().

This allows shell metacharacters such as ;, &&, and $() to break out of the intended command and execute arbitrary commands.

━━━━━━━━━━━━━━━━━━━━━━

Steps to Reproduce

Install the CLI npm install -g @apostrophecms/cli
Create a new project mkdir testproject && cd testproject apos create mysite 3)When prompted for the admin password, enter "; id > /tmp/apos_rce_proof.txt; echo " 4)Verify command execution cat /tmp/apos_rce_proof.txt

━━━━━━━━━━━━━━━━━━━━━━

Proof of Concept Output

uid=1000(vboxuser) gid=1000(vboxuser) groups=1000(vboxuser),27(sudo),984(docker)

This confirms arbitrary command execution with the privileges of the user running the CLI.

━━━━━━━━━━━━━━━━━━━━━━

Impact

Arbitrary command execution on the developer’s machine Execution occurs with the privileges of the user running the CLI

This can lead to:

File modification or deletion Credential exposure System compromise depending on user privileges

An attacker can exploit this by influencing the password input (for example, through social engineering, malicious documentation, or compromised automation scripts).

The proof-of-concept shows execution under a user belonging to privileged groups such as sudo and docker, which may allow further privilege escalation depending on system configuration.

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Ready for Agentic Automated Testing?

CVE-2026-42853