Product
ApostropheCMS is vulnerable to authenticated server-side request forgery (SSRF) via rich-text widget import; an attacker with edit access can trigger server-side requests to attacker-controlled URLs during widget validation, enabling internal port scanning and potential data exfiltration by re-hosting image-compatible responses.