CVE-2026-45013

Published: Jun 12, 2026Modified: Jun 13, 2026

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: security-advisories@github.com (Secondary)

Description

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that constructs the reset URL using `req.hostname`, which is derived directly from the attacker-controlled HTTP `Host` header when `apos.baseUrl` is not explicitly configured. An unauthenticated attacker who knows a victim's email address can send a crafted reset request that causes the application to email the victim a reset link pointing to the attacker's domain. When the victim clicks the link, the valid reset token is delivered to the attacker, enabling full account takeover. As of time of publication, no known patched versions are available.

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-640

Weak Password Recovery Mechanism for Forgotten Password

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

References (2)

https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-gf43-24g3-5hw2

Source: security-advisories@github.com

https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-gf43-24g3-5hw2

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.