CVE-2026-42853: 
JavaScript Analyse et atténuation des vulnérabilités

CVE-2026-42853 is a command injection vulnerability in the @apostrophecms/cli npm package, specifically in the apos create command. User-supplied input from the interactive password prompt is embedded directly into a shell command without sanitization or escaping, enabling arbitrary OS command execution on the host system. All versions up to and including 3.6.0 are affected, with no patched version available as of the advisory publication date. It carries a CVSS v3.1 base score of 6.5 (Moderate) (GitHub Advisory). The advisory was published on May 13–14, 2026, by boutell via the apostrophecms/apostrophe repository (ApostropheCMS Advisory).

The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command). In lib/commands/create.js at line 186, the CLI collects a password via an interactive prompt and passes the raw value directly into Node.js's exec() call: exec(echo "${response.pw}" | ${createUserCommand}). Because response.pw is never validated, sanitized, or shell-escaped, an attacker can inject shell metacharacters such as ;, &&, or $() to break out of the intended command context and execute arbitrary OS commands. The attack vector is local and requires high privileges (the user must be running the CLI) and user interaction (the password prompt must be reached during project creation) (GitHub Advisory, ApostropheCMS Advisory).

Successful exploitation results in arbitrary command execution on the developer's local machine with the privileges of the user running the CLI. If that user belongs to privileged groups such as sudo or docker (as demonstrated in the proof-of-concept output), further privilege escalation may be possible. Consequences include file modification or deletion, credential exposure, and potential full system compromise. The impact is confined to the local host where the CLI is executed, with no direct network-based lateral movement, but compromised developer machines can serve as a pivot point into broader infrastructure (GitHub Advisory).

1. Install the vulnerable CLI: Run npm install -g @apostrophecms/cli to install version 3.6.0 or earlier.
2. Initiate project creation: Execute mkdir testproject && cd testproject, then run apos create mysite to trigger the interactive setup wizard.
3. Reach the password prompt: Proceed through the setup until the CLI displays 🔏 Please enter a password:.
4. Inject malicious payload: Enter a crafted string containing shell metacharacters, such as "; id > /tmp/apos_rce_proof.txt; echo ", at the password prompt.
5. Verify command execution: The injected command (id) executes in the context of the shell via exec(), writing output to /tmp/apos_rce_proof.txt. Running cat /tmp/apos_rce_proof.txt confirms execution with the current user's privileges (e.g., uid=1000(vboxuser) groups=1000(vboxuser),27(sudo),984(docker)) (GitHub Advisory).

• File System: Unexpected files created in /tmp/ or other writable directories (e.g., /tmp/apos_rce_proof.txt) during or after apos create execution; new or modified files in the project directory inconsistent with normal scaffolding output.
• Process: Unusual child processes spawned by the Node.js process running the CLI (e.g., sh, bash, id, curl, wget, python) visible in process trees during apos create execution.
• Logs: Shell history entries (e.g., .bash_history, .zsh_history) containing apos create followed by suspicious commands; system audit logs (auditd) recording unexpected exec syscalls from the Node.js process.
• Network: Unexpected outbound network connections from the developer workstation originating from the Node.js CLI process, particularly if the injected payload includes a reverse shell or data exfiltration command (GitHub Advisory).

As of the advisory publication date (May 14, 2026), no patched version of @apostrophecms/cli is available; all versions up to and including 3.6.0 are affected. The advisory recommends replacing exec() with execFile() to avoid shell interpretation of user input — specifically, using execFileSync('node', [appJsPath, userTask, 'admin', 'admin'], { input: response.pw + '\n' }). Until an official patch is released, users should avoid running apos create in untrusted or automated environments, and should not use the CLI in scripts that accept externally controlled password input. Monitor the ApostropheCMS Advisory for patch availability (GitHub Advisory).

The advisory was published by boutell (an ApostropheCMS maintainer) directly in the apostrophecms/apostrophe repository, indicating official acknowledgment of the issue. The vulnerability was discovered by VadlaReddySai and reported by Chittu13. No significant broader media coverage or notable community commentary beyond the GitHub advisory has been identified at this time (ApostropheCMS Advisory).