Description
ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the live site. When another user, including an administrator or public visitor, clicks the affected image/link, arbitrary JavaScript executes in the victim’s browser. As of time of publication, no known patched versions are available.
Published: 2026-06-12
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ApostropheCMS contains a stored cross‑site scripting flaw in the image widget. An editor can set a link on an image widget to a "javascript:" URL. When a user, including an administrator or a public visitor, clicks the image the script runs in that user’s browser. The flaw is a classic XSS (CWE‑79) that can be exploited to steal credentials, hijack sessions or deface the site.

Affected Systems

The vulnerability affects the ApostropheCMS application version 4.29.0. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 7.3 indicates a high impact risk. The EPSS score is below 1%, meaning exploitation probability is low, and the CVE is not listed in CISA’s KEV catalog. The flaw can be triggered by anyone who has Editor privileges, which includes users capable of publishing pages. Attackers with such access can embed malicious payloads that will execute in the browsers of visitors or administrators.

Generated by OpenCVE AI on June 12, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict image widget URLs to only allow http:// and https:// protocols and reject javascript: links through schema validation
  • Remove any existing image widgets that contain javascript: URLs and republish pages to ensure the malicious code is purged
  • Reevaluate editor role permissions: either remove link editing from image widgets or restrict the Editor role to prevent the creation of such links until a patch is available

Generated by OpenCVE AI on June 12, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5f64-7vfc-rcx6 Apostrophe has stored XSS via javascript: URL in Image Widget Link
History

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the live site. When another user, including an administrator or public visitor, clicks the affected image/link, arbitrary JavaScript executes in the victim’s browser. As of time of publication, no known patched versions are available.
Title Apostrophe has stored XSS via javascript: URL in Image Widget Link
Weaknesses CWE-116
CWE-79
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:43:18.939Z

Reserved: 2026-05-08T16:58:28.895Z

Link: CVE-2026-45011

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T21:16:22.580

Modified: 2026-06-12T21:16:22.580

Link: CVE-2026-45011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T22:30:08Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')