PatchSiren cyber security CVE debrief

CVE-2026-53607 apostrophecms CVE debrief

ApostropheCMS, an open-source Node.js content management system, has a vulnerability in versions up to and including 4.30.0. When the `prettyUrls: true` option is enabled on `@apostrophecms/file`, a feature for serving uploaded files at clean URLs, an unauthenticated remote attacker can exploit this to pivot the Apostrophe process to issue outbound HTTP requests against any host reachable on the private network. The vulnerability is rated as LOW with a CVSS score of 3.7.

Vendor: apostrophecms
Product: apostrophe
CVSS: LOW 3.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-12
Original CVE updated: 2026-06-12
Advisory published: 2026-06-12
Advisory updated: 2026-06-12

Who should care

Users of ApostropheCMS, especially those who have enabled the `prettyUrls: true` option on `@apostrophecms/file`, should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The public pretty-URL handler in ApostropheCMS builds the upstream URL using the raw `Host` HTTP request header, which is fully attacker-controlled. This allows an attacker to issue outbound HTTP requests against any host reachable on the private network. The path component of the URL is constrained to `/uploads/attachments/<cuid>-<slug>.<ext>`, which limits the impact but still allows for blind SSRF attacks.

Defensive priority

LOW

Recommended defensive actions

Update to a patched version of ApostropheCMS as soon as available.
Disable the `prettyUrls: true` option on `@apostrophecms/file` if not necessary.
Monitor for suspicious outbound HTTP requests from the Apostrophe process.

Evidence notes

The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information is available at [ref-4].

Official resources

CVE-2026-53607 was published on 2026-06-12T21:16:24.247Z and has not been modified since then.