CVE-2026-45012
Deferred Deferred - Pending Action

Authenticated SSRF in ApostropheCMS Rich-Text Widget

Vulnerability report for CVE-2026-45012, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 contain an authenticated server-side request forgery (SSRF) in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget validation. For image-compatible responses, the fetched content can be persisted and re-hosted by Apostrophe, allowing response exfiltration. As of time of publication, no known patched versions are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-15
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-01
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms apostrophe to 4.29.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in ApostropheCMS, an open-source Node.js content management system, in versions up to and including 4.29.0. It is an authenticated server-side request forgery (SSRF) issue found in the rich-text widget import flow. An authenticated user who can submit or edit rich-text widget content can cause the server to fetch URLs controlled by an attacker during the widget validation process.

If the server receives an image-compatible response from the attacker-controlled URL, the fetched content can be stored and re-hosted by ApostropheCMS, which allows the attacker to exfiltrate data via the server.

As of the publication date, no patched versions are available to fix this vulnerability.

Compliance Impact

The vulnerability in ApostropheCMS allows an authenticated user to cause the server to fetch attacker-controlled URLs and potentially persist and re-host fetched content, which could lead to unauthorized data exposure.

Such unauthorized data exposure and exfiltration risks could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and disclosure.

Mitigation Strategies

As of the time of publication, no known patched versions are available for this vulnerability.

To mitigate the risk, restrict authenticated users from submitting or editing rich-text widget content that could trigger server-side requests.

Monitor and limit the URLs that the server can fetch during widget validation to prevent fetching attacker-controlled URLs.

Consider implementing network-level controls to block outgoing requests to untrusted or external URLs initiated by the ApostropheCMS server.

Impact Analysis

This vulnerability can impact you by allowing an authenticated user to make the server fetch arbitrary URLs controlled by an attacker. This can lead to unauthorized data exfiltration if the server stores and re-hosts the fetched content.

The impact includes potential confidentiality breaches (high confidentiality impact), integrity issues (low integrity impact), and availability concerns (low availability impact), as indicated by the CVSS score.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45012. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart