PatchSiren cyber security CVE debrief
CVE-2026-45012 apostrophecms CVE debrief
ApostropheCMS, an open-source Node.js content management system, is vulnerable to an authenticated server-side request forgery (SSRF) attack in the rich-text widget import flow. This vulnerability, tracked as CVE-2026-45012, affects versions up to and including 4.29.0. An authenticated user who can submit or edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget validation. For image-compatible responses, the fetched content can be persisted and re-hosted by Apostrophe, potentially allowing response exfiltration. The CVSS score for this vulnerability is 7.6, indicating a High severity level. The vulnerability was published on June 12, 2026, and as of the publication date, no patched versions are available.
- Vendor
- apostrophecms
- Product
- apostrophe
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of ApostropheCMS, particularly those with authenticated access to rich-text widget content, should be aware of this vulnerability and take necessary precautions. Developers and administrators of ApostropheCMS instances should prioritize updating to a patched version once available.
Technical summary
CVE-2026-45012 is an authenticated SSRF vulnerability in ApostropheCMS's rich-text widget import flow. It allows an authenticated user to cause the server to fetch attacker-controlled URLs, potentially leading to response exfiltration. The vulnerability has a CVSS score of 7.6 and is classified as High severity.
Defensive priority
High
Recommended defensive actions
- Review and monitor rich-text widget content submissions for potential SSRF attempts.
- Restrict access to rich-text widget content editing to trusted users.
- Consider implementing additional security measures, such as URL filtering or whitelisting, for widget validation.
- Upgrade to a patched version of ApostropheCMS as soon as available.
Evidence notes
The CVE-2026-45012 vulnerability is confirmed to exist in ApostropheCMS versions up to and including 4.29.0. The vulnerability allows for authenticated SSRF attacks in the rich-text widget import flow. No patched versions are available at the time of publication.
Official resources
-
CVE-2026-45012 CVE record
CVE.org
-
CVE-2026-45012 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-45012 was published on June 12, 2026, and as of that date, no patched versions of ApostropheCMS are available.