CVE-2026-45011
Apostrophe has stored XSS via javascript: URL in Image Widget Link
CVSS Score
7.3
EPSS Score
0.0%
EPSS Percentile
10th
ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the live site. When another user, including an administrator or public visitor, clicks the affected image/link, arbitrary JavaScript executes in the victimβs browser. As of time of publication, no known patched versions are available.
| CWE | CWE-79 CWE-116 |
| Vendor | apostrophecms |
| Product | apostrophe |
| Published | Jun 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for apostrophecms apostrophe
Be the first to know when new high vulnerabilities affecting apostrophecms apostrophe are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
apostrophecms / apostrophe
= 4.29.0