{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/apostrophecms--4.29.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["apostrophecms \u003c= 4.29.0"],"_cs_severities":["high"],"_cs_tags":["ssrf","apostrophecms","cve-2026-45012"],"_cs_type":"advisory","_cs_vendors":["apostrophe"],"content_html":"\u003cp\u003eApostropheCMS versions 4.29.0 and earlier are vulnerable to an authenticated server-side request forgery (SSRF) vulnerability (CVE-2026-45012) within the rich-text widget import functionality. An authenticated user, possessing the ability to submit or edit rich-text widget content, can manipulate the import process to induce the server to issue requests to arbitrary URLs during widget validation. By injecting a crafted \u003ccode\u003e\u0026lt;img src\u0026gt;\u003c/code\u003e tag within the imported HTML, an attacker can trigger the server to fetch content from a specified URL. If the server receives an image-compatible response, ApostropheCMS may persist and re-host the fetched content, creating a vector for exfiltration of sensitive information. This vulnerability enables attackers to perform internal port scanning and potentially exfiltrate data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker logs into the ApostropheCMS application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious rich-text widget payload containing an \u003ccode\u003eimport.html\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003eimport.html\u003c/code\u003e, the attacker includes an \u003ccode\u003e\u0026lt;img src\u0026gt;\u003c/code\u003e tag pointing to an attacker-controlled URL or internal resource.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the widget payload to the \u003ccode\u003e/api/v1/@apostrophecms/area/validate-widget?aposMode=draft\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe server-side \u003ccode\u003evalidate-widget\u003c/code\u003e route parses the HTML content, identifies the \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tag, and resolves the URL.\u003c/li\u003e\n\u003cli\u003eThe server then performs an HTTP \u003ccode\u003efetch()\u003c/code\u003e request to the resolved URL, as specified in the \u003ccode\u003esrc\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eIf the response is image-compatible, ApostropheCMS attempts to process and store the fetched content as an image asset.\u003c/li\u003e\n\u003cli\u003eThe attacker can then access the re-hosted image through a generated image URL, potentially exfiltrating data. If the response is not an image, the SSRF still occurs and can be used for reconnaissance purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability, tracked as CVE-2026-45012, allows authenticated users with rich-text widget editing privileges to trigger server-side requests to arbitrary URLs. This can enable attackers to scan internal network resources (127.0.0.1, private subnets), perform blind or semi-blind internal port and service discovery, and potentially exfiltrate data by causing the application to store and re-host fetched image content. The vulnerability affects ApostropheCMS versions 4.29.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of ApostropheCMS that addresses the SSRF vulnerability (CVE-2026-45012).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ApostropheCMS SSRF via validate-widget\u003c/code\u003e to detect requests to the vulnerable API endpoint with potentially malicious image URLs.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for HTTP requests to internal or unusual destinations originating from the ApostropheCMS server.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for user-supplied URLs, especially within rich-text widgets, to prevent the injection of malicious URLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T18:27:23Z","date_published":"2026-05-14T18:27:23Z","id":"https://feed.craftedsignal.io/briefs/2026-05-apostrophe-ssrf/","summary":"ApostropheCMS is vulnerable to authenticated server-side request forgery (SSRF) via rich-text widget import; an attacker with edit access can trigger server-side requests to attacker-controlled URLs during widget validation, enabling internal port scanning and potential data exfiltration by re-hosting image-compatible responses.","title":"ApostropheCMS Authenticated SSRF via Rich-Text Widget Import (CVE-2026-45012)","url":"https://feed.craftedsignal.io/briefs/2026-05-apostrophe-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Apostrophecms \u003c= 4.29.0","version":"https://jsonfeed.org/version/1.1"}