Description
ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the live site. When another user, including an administrator or public visitor, clicks the affected image/link, arbitrary JavaScript executes in the victim’s browser. As of time of publication, no known patched versions are available.
Published: 2026-06-12
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ApostropheCMS contains a stored cross‑site scripting flaw in the image widget. An editor can set a link on an image widget to a "javascript:" URL. When a user, including an administrator or a public visitor, clicks the image the script runs in that user’s browser. The flaw is a classic XSS (CWE‑79) that can be exploited to steal credentials, hijack sessions or deface the site.

Affected Systems

The vulnerability affects the ApostropheCMS application version 4.29.0. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 7.3 indicates a high impact risk. The EPSS score is below 1%, meaning exploitation probability is low, and the CVE is not listed in CISA’s KEV catalog. The flaw can be triggered by anyone who has Editor privileges, which includes users capable of publishing pages. Attackers with such access can embed malicious payloads that will execute in the browsers of visitors or administrators.

Generated by OpenCVE AI on June 12, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict image widget URLs to only allow http:// and https:// protocols and reject javascript: links through schema validation
  • Remove any existing image widgets that contain javascript: URLs and republish pages to ensure the malicious code is purged
  • Reevaluate editor role permissions: either remove link editing from image widgets or restrict the Editor role to prevent the creation of such links until a patch is available

Generated by OpenCVE AI on June 12, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5f64-7vfc-rcx6 Apostrophe has stored XSS via javascript: URL in Image Widget Link
History

Mon, 15 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Apostrophecms
Apostrophecms apostrophecms
Vendors & Products Apostrophecms
Apostrophecms apostrophecms

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the live site. When another user, including an administrator or public visitor, clicks the affected image/link, arbitrary JavaScript executes in the victim’s browser. As of time of publication, no known patched versions are available.
Title Apostrophe has stored XSS via javascript: URL in Image Widget Link
Weaknesses CWE-116
CWE-79
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}


Subscriptions

Apostrophecms Apostrophecms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-15T15:16:38.776Z

Reserved: 2026-05-08T16:58:28.895Z

Link: CVE-2026-45011

cve-icon Vulnrichment

Updated: 2026-06-15T15:15:56.918Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T21:16:22.580

Modified: 2026-06-15T20:54:05.470

Link: CVE-2026-45011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T12:30:47Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')