CVE-2026-45011

7.3 HIGH

ApostropheCMS is an open-source Node.js content management system

Published: 2026-06-12 · Last updated: 2026-06-12

Severity and scoring

CVSS: 7.3 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-116, CWE-79

Description

ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the live site. When another user, including an administrator or public visitor, clicks the affected image/link, arbitrary JavaScript executes in the victim’s browser. As of time of publication, no known patched versions are available.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-12176 — A vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 (4.3 MEDIUM)
CVE-2026-5513 — The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '... (7.2 HIGH)
CVE-2026-9629 — The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including... (6.4 MEDIUM)
CVE-2026-3297 — The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anc... (6.4 MEDIUM)
CVE-2026-9134 — The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in ve... (6.4 MEDIUM)