Description
ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 contain an authenticated server-side request forgery (SSRF) in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget validation. For image-compatible responses, the fetched content can be persisted and re-hosted by Apostrophe, allowing response exfiltration. As of time of publication, no known patched versions are available.
Published: 2026-06-12
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ApostropheCMS versions up to 4.29.0 are vulnerable to an authenticated SSRF in the rich‑text widget import flow. An authenticated user capable of submitting or editing widget content can trigger the server to fetch an attacker‑controlled URL during validation. If the response is image‑compatible, the fetched content is persisted and re‑hosted by the CMS, allowing an attacker to exfiltrate data. This flaw is identified by CWE‑918.

Affected Systems

The vulnerability affects ApostropheCMS, specifically all releases up through version 4.29.0. Any deployment of these versions that enables rich‑text widget imports is potentially exposed.

Risk and Exploitability

The CVSS score of 7.6 indicates moderate to high severity, while the EPSS score of less than 1% suggests exploitation is currently unlikely but possible. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is an authenticated web user who can add or modify rich‑text widgets; the attacker can supply a malicious URL that the server requests, and if the content is image‑compatible, the CMS will store and serve it, effectively leaking data to the attacker.

Generated by OpenCVE AI on June 12, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • A patch is not yet available; as a temporary measure, configure a firewall or application‑level proxy to filter outbound requests from the ApostropheCMS process during widget import, allowing only trusted endpoints.
  • Disable or restrict the rich‑text widget import functionality or lock editing privileges until an official fix is released.
  • Continuously monitor outbound HTTP requests and audit the media repository for unexpected external content, taking corrective action if unauthorized artifacts are found.

Generated by OpenCVE AI on June 12, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pr28-mf3q-qpg6 Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget
History

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 contain an authenticated server-side request forgery (SSRF) in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget validation. For image-compatible responses, the fetched content can be persisted and re-hosted by Apostrophe, allowing response exfiltration. As of time of publication, no known patched versions are available.
Title Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:44:48.842Z

Reserved: 2026-05-08T16:58:28.895Z

Link: CVE-2026-45012

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T21:16:22.720

Modified: 2026-06-12T21:16:22.720

Link: CVE-2026-45012

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T23:00:08Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)