PatchSiren cyber security CVE debrief
CVE-2026-45011 apostrophecms CVE debrief
ApostropheCMS version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the live site. When another user, including an administrator or public visitor, clicks the affected image/link, arbitrary JavaScript executes in the victim’s browser. As of time of publication, no known patched versions are available.
- Vendor
- apostrophecms
- Product
- apostrophe
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of ApostropheCMS version 4.29.0, particularly those with Editor roles, should be aware of this vulnerability and take necessary precautions.
Technical summary
The vulnerability is caused by the lack of proper input validation in the image widget functionality of ApostropheCMS version 4.29.0. An attacker with Editor privileges can inject malicious JavaScript code into the image widget link, which can then be executed by other users who click on the affected image or link.
Defensive priority
HIGH
Recommended defensive actions
- Users of ApostropheCMS version 4.29.0 should update to a patched version as soon as it becomes available.
- In the meantime, users can take steps to mitigate the vulnerability by limiting Editor privileges or closely monitoring image widget configurations.
Evidence notes
The CVE record for CVE-2026-45011 provides additional information on the vulnerability, including its CVSS score and vector.
Official resources
CVE-2026-45011 was published on 2026-06-12T21:16:22.580Z and has not been modified since then.