What is CVE-2026-33877?

CVE-2026-33877 is a low-severity vulnerability in Apostrophecms Apostrophe, classified under CWE-208. CVSS score: 3.7/10. Published 2026-04-15.

How severe is CVE-2026-33877?

Low severity. CVSS v3 base score is 3.7 out of 10.

Vulnerability in Apostrophecms Apostrophe

CVE-2026-33877

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticate…

EPSS: 0.000 (8.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.7 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

Apostrophecms Apostrophe — versions < 4.29.0

Weakness classification (CWE)

CWE-208

References

https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mj7r-x3h3-7rmr (x_refsource_CONFIRM)
https://github.com/apostrophecms/apostrophe/commit/e266cffd8c0d331a9b05c92bf11616556efcdc77 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33877?: CVE-2026-33877 is a low-severity vulnerability in Apostrophecms Apostrophe, classified under CWE-208. CVSS score: 3.7/10. Published 2026-04-15.
How severe is CVE-2026-33877?: Low severity. CVSS v3 base score is 3.7 out of 10.