CVE-2026-45011
Received Received - Intake
Stored XSS in ApostropheCMS Image Widget

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the live site. When another user, including an administrator or public visitor, clicks the affected image/link, arbitrary JavaScript executes in the victim’s browser. As of time of publication, no known patched versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-45011
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms apostrophe to 4.29.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ApostropheCMS version 4.29.0, an open-source Node.js content management system. It is a stored cross-site scripting (XSS) vulnerability found in the image widget functionality.

A user with the Editor role can configure an image widget link to use a malicious javascript: URL payload. Since editors have permission to publish pages, this malicious widget can be published to the live site.

When another user, including administrators or public visitors, clicks the affected image or link, arbitrary JavaScript code executes in their browser, potentially leading to unauthorized actions or data exposure.

Impact Analysis

This vulnerability can lead to arbitrary JavaScript execution in the browsers of users who click on the malicious image or link.

Potential impacts include theft of sensitive information such as cookies or session tokens, unauthorized actions performed on behalf of the victim, and compromise of user accounts.

Because the malicious code runs in the context of the affected site, it can affect administrators, editors, and public visitors, increasing the risk and scope of the attack.

Mitigation Strategies

As of the time of publication, no known patched versions of ApostropheCMS are available to fix this vulnerability.

To mitigate the risk, restrict or review the permissions of users with the Editor role to prevent them from configuring image widget links with javascript: URL payloads.

Additionally, consider disabling or limiting the use of image widgets that allow link configuration until a patch is released.

Educate users and administrators to be cautious when clicking on image links published by editors.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45011. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart