CVE-2026-45014

UNKNOWN 0.0

Apostrophe Vulnerable to Stored Cross-Site Scripting via Unsanitized User Display Name in Draft Version Tooltip

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 are vulnerable to stored cross-site scripting via unsanitized user display name in draft version tooltip. As of time of publication, no known patched versions are available.

CWE	CWE-79
Vendor	apostrophecms
Product	apostrophe
Published	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for apostrophecms apostrophe

Be the first to know when new unknown vulnerabilities affecting apostrophecms apostrophe are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

apostrophecms / apostrophe

<= 4.29.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-hvx2-4ghc-j37m