CVE-2026-45012

Published: Jun 12, 2026Modified: Jun 15, 2026Deferred

7.6

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Exploitability: 2.8 / Impact: 4.7

Source: security-advisories@github.com (Secondary)

Description

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 contain an authenticated server-side request forgery (SSRF) in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget validation. For image-compatible responses, the fetched content can be persisted and re-hosted by Apostrophe, allowing response exfiltration. As of time of publication, no known patched versions are available.

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-pr28-mf3q-qpg6

Source: security-advisories@github.com

https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-pr28-mf3q-qpg6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.