ApostropheCMS builds password reset URLs using the hostname from the HTTP Host header when the baseUrl configuration is omitted. An attacker can supply a forged Host header, causing the CMS to email a reset link that points to the attacker’s domain. When the victim clicks the link, the legitimate reset token is delivered to the attacker, who can then reset the user’s password and gain complete account control. The flaw arises from improper input validation (CWE‑20) and leads to the exposure of sensitive credentials (CWE‑640).

Versions of the apostrophecms:apostrophe content management system up to and including 4.29.0 are affected whenever the apos.baseUrl setting is left blank. Users running these versions without a defined base URL are at risk because reset URLs are constructed from the user‑controlled Host header.

The CVSS score of 8.1 classifies this as a high‑severity vulnerability, while the EPSS score of less than 1% indicates that exploitation cases are rare but possible. It is not listed in CISA’s KEV catalog, so a widespread, confirmed attack is not yet known. The vulnerability does not require any privileged access to the application; an unauthenticated attacker merely needs a victim’s email address and the ability to send a crafted password‑reset request, rendering it a straightforward remote attack when the victim follows the spoofed link.