@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input
Summary The @apostrophecms/cli package contains a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. ━━━━━━━━━━━━━━━━━━━━━━ Details Vulnerable file: lib/commands/create.js Location: Line 186 The CLI collects a password using an interactive prompt and passes it directly into a shell command. Vulnerable code: const …