CVE-2026-45013

HIGH 8.1

Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation

CVSS Score

8.1

EPSS Score

0.1%

EPSS Percentile

34th

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that constructs the reset URL using `req.hostname`, which is derived directly from the attacker-controlled HTTP `Host` header when `apos.baseUrl` is not explicitly configured. An unauthenticated attacker who knows a victim's email address can send a crafted reset request that causes the application to email the victim a reset link pointing to the attacker's domain. When the victim clicks the link, the valid reset token is delivered to the attacker, enabling full account takeover. As of time of publication, no known patched versions are available.

CWE	CWE-20 CWE-640
Vendor	apostrophecms
Product	apostrophe
Published	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for apostrophecms apostrophe

Be the first to know when new high vulnerabilities affecting apostrophecms apostrophe are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

apostrophecms / apostrophe

<= 4.29.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-gf43-24g3-5hw2