PatchSiren cyber security CVE debrief

CVE-2026-45013 apostrophecms CVE debrief

ApostropheCMS, an open-source Node.js content management system, has a password reset flow vulnerability in versions up to and including 4.29.0. The vulnerability allows an unauthenticated attacker who knows a victim's email address to send a crafted reset request. This causes the application to email the victim a reset link pointing to the attacker's domain. When the victim clicks the link, the valid reset token is delivered to the attacker, enabling full account takeover. The vulnerability is caused by the reset URL being constructed using `req.hostname`, which is derived directly from the attacker-controlled HTTP `Host` header when `apos.baseUrl` is not explicitly configured.

Vendor: apostrophecms
Product: apostrophe
CVSS: HIGH 8.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-12
Original CVE updated: 2026-06-13
Advisory published: 2026-06-12
Advisory updated: 2026-06-13

Who should care

Users of ApostropheCMS, especially those who have not upgraded to a patched version, should be aware of this vulnerability. An unauthenticated attacker can exploit this vulnerability to gain control of a victim's account.

Technical summary

The vulnerability has a CVSS score of 8.1 and is classified as HIGH severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. The weaknesses associated with this vulnerability are CWE-20 and CWE-640.

Defensive priority

HIGH

Recommended defensive actions

Upgrade to a patched version of ApostropheCMS as soon as available.
Configure `apos.baseUrl` to prevent the use of `req.hostname`.
Be cautious when clicking on password reset links, especially if they are unexpected.

Evidence notes

The CVE record and NVD detail can be found at resourceLinkAnnotations: cve-org and nvd.

Official resources

CVE-2026-45013 was published on 2026-06-12T21:16:22.850Z and modified on 2026-06-13T04:17:22.617Z.