CVE-2026-45014 apostrophecms CVE debrief

Who should care

Developers and administrators using ApostropheCMS versions up to and including 4.29.0 should be aware of this vulnerability and take necessary precautions to mitigate the risk.

Technical summary

The vulnerability exists due to improper sanitization of user input in the display name field. An attacker can inject malicious scripts, which can then be stored and executed when another user views the draft version tooltip. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

MEDIUM

Recommended defensive actions

• Update to a patched version of ApostropheCMS as soon as it becomes available.
• Implement additional security measures to validate and sanitize user input.
• Monitor for suspicious activity and implement Content Security Policy (CSP) to mitigate XSS attacks.

Evidence notes

This vulnerability is confirmed by the CVE record [cve-org]. Additional information can be found in the NVD detail [nvd] and the source reference [ref-4].

Official resources