Description
ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 are vulnerable to stored cross-site scripting via unsanitized user display name in draft version tooltip. As of time of publication, no known patched versions are available.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows stored cross-site scripting through an unsanitized user display name that appears in a tooltip for draft versions of content. Because the data is stored, any user creating a new content draft can embed arbitrary JavaScript into their display name, which will later be rendered as a tooltip when other users, including administrators, view the draft. The injected payload runs with the privileges of the browser session that opens the tooltip and can steal session cookies, deface the site, or redirect users. This flaw is a typical input validation weakness (CWE-79) and does not require special authentication beyond the ability to create or edit a draft.

Affected Systems

This flaw affects ApostropheCMS version 4.29.0 and earlier. The affected product is the open-source Node.js content management system ApostropheCMS from the vendor apostrophecms, product Apostrophe. No patched versions were available at the time of publication.

Risk and Exploitability

With a CVSS score of 5.3 the vulnerability is moderate in severity. No EPSS score was published, and the issue is not listed in the CISA KEV catalog, indicating that, while the flaw could be exploited, it is not known to be actively used in the wild. The attack vector is inferred to be B, i.e., local or remote if an attacker can create a draft. An attacker would need to supply an unsanitized user name when creating or editing content. Because the tooltip rendering occurs in the client browser, exploitation requires that a privileged user view the affected draft. The lack of an official patch means that the exposure remains until the software is updated.

Generated by OpenCVE AI on June 12, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure a strict Content Security Policy that disallows inline scripts and restricts script loading to trusted domains, reducing the impact of any stored XSS payload.
  • Disable or modify the draft version tooltip rendering to remove the unsanitized display name field, or provide a server-side sanitization routine before rendering it.
  • Continuously monitor access logs and browser console errors for signs of XSS exploitation, and plan to upgrade to a patched or newer major version of ApostropheCMS as soon as it becomes available.

Generated by OpenCVE AI on June 12, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Apostrophecms
Apostrophecms apostrophecms
Vendors & Products Apostrophecms
Apostrophecms apostrophecms

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 are vulnerable to stored cross-site scripting via unsanitized user display name in draft version tooltip. As of time of publication, no known patched versions are available.
Title Apostrophe Vulnerable to Stored Cross-Site Scripting via Unsanitized User Display Name in Draft Version Tooltip
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Apostrophecms Apostrophecms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-15T17:55:54.492Z

Reserved: 2026-05-08T16:58:28.895Z

Link: CVE-2026-45014

cve-icon Vulnrichment

Updated: 2026-06-15T17:55:50.139Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T21:16:22.990

Modified: 2026-06-15T20:54:05.470

Link: CVE-2026-45014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T12:30:41Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')