CVE-2026-45011
Deferred Deferred - Pending Action

Stored XSS in ApostropheCMS Image Widget

Vulnerability report for CVE-2026-45011, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the live site. When another user, including an administrator or public visitor, clicks the affected image/link, arbitrary JavaScript executes in the victim’s browser. As of time of publication, no known patched versions are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-15
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-01
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms apostrophe to 4.29.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in ApostropheCMS version 4.29.0, an open-source Node.js content management system. It is a stored cross-site scripting (XSS) vulnerability found in the image widget functionality.

A user with the Editor role can configure an image widget link to use a malicious javascript: URL payload. Since editors have permission to publish pages, this malicious widget can be published to the live site.

When another user, including administrators or public visitors, clicks the affected image or link, arbitrary JavaScript code executes in their browser, potentially leading to unauthorized actions or data exposure.

Impact Analysis

This vulnerability can lead to arbitrary JavaScript execution in the browsers of users who click on the malicious image or link.

Potential impacts include theft of sensitive information such as cookies or session tokens, unauthorized actions performed on behalf of the victim, and compromise of user accounts.

Because the malicious code runs in the context of the affected site, it can affect administrators, editors, and public visitors, increasing the risk and scope of the attack.

Mitigation Strategies

As of the time of publication, no known patched versions of ApostropheCMS are available to fix this vulnerability.

To mitigate the risk, restrict or review the permissions of users with the Editor role to prevent them from configuring image widget links with javascript: URL payloads.

Additionally, consider disabling or limiting the use of image widgets that allow link configuration until a patch is released.

Educate users and administrators to be cautious when clicking on image links published by editors.

Compliance Impact

This vulnerability allows arbitrary JavaScript execution in the browsers of users who click on a maliciously crafted image widget link. Such cross-site scripting (XSS) vulnerabilities can lead to unauthorized access to sensitive information, session hijacking, or other malicious actions.

Because of the potential for unauthorized access or data exposure, this vulnerability could impact compliance with data protection regulations such as GDPR and HIPAA, which require organizations to protect personal and sensitive data from unauthorized access or disclosure.

Specifically, failure to address this vulnerability may result in non-compliance with requirements for maintaining the confidentiality and integrity of personal data, potentially leading to regulatory penalties or reputational damage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45011. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart