{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/apostrophecms/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["apostrophecms (= 4.29.0)"],"_cs_severities":["high"],"_cs_tags":["xss","apostrophecms","cve-2026-45011","javascript"],"_cs_type":"advisory","_cs_vendors":["Apostrophe"],"content_html":"\u003cp\u003eA stored cross-site scripting (XSS) vulnerability exists within the image widget functionality of ApostropheCMS version 4.29.0. An attacker with Editor privileges can inject malicious JavaScript code by configuring an image widget\u0026rsquo;s link field with a \u003ccode\u003ejavascript:\u003c/code\u003e URL. This vulnerability allows the attacker to execute arbitrary JavaScript code in the browsers of other users who interact with the compromised image link, including administrators and public visitors. The vulnerability is identified as CVE-2026-45011.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker logs into ApostropheCMS with Editor privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the home page and enables edit mode.\u003c/li\u003e\n\u003cli\u003eThe attacker adds an Image widget to the main content area.\u003c/li\u003e\n\u003cli\u003eThe attacker selects an existing image from the media library.\u003c/li\u003e\n\u003cli\u003eThe attacker opens the image widget settings.\u003c/li\u003e\n\u003cli\u003eIn the \u0026ldquo;Link to\u0026rdquo; field, the attacker selects the \u0026ldquo;URL\u0026rdquo; option.\u003c/li\u003e\n\u003cli\u003eIn the URL field, the attacker enters a malicious \u003ccode\u003ejavascript:\u003c/code\u003e payload (e.g., \u003ccode\u003ejavascript:alert(document.domain)\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker saves the widget and updates the page, publishing the malicious content.\u003c/li\u003e\n\u003cli\u003eA victim (administrator or guest) visits the published page and clicks on the linked image.\u003c/li\u003e\n\u003cli\u003eThe JavaScript payload executes in the victim\u0026rsquo;s browser, potentially allowing the attacker to perform actions on their behalf.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker with Editor privileges to store a malicious JavaScript payload in a published page within ApostropheCMS. When other users, including administrators or public visitors, click on the affected image link, the injected JavaScript executes in their browsers. This can lead to account compromise, access to sensitive data, modification of content, phishing attacks, and overall compromise of visitors who interact with the malicious image link.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cp\u003ePrioritize the following actions to mitigate this XSS vulnerability:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the vendor\u0026rsquo;s recommended URL validation and sanitization for widget link fields to reject dangerous schemes like \u003ccode\u003ejavascript:\u003c/code\u003e and \u003ccode\u003edata:\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ApostropheCMS XSS via Javascript URL\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider implementing a strict Content Security Policy (CSP) to limit the impact of potential XSS vulnerabilities.\u003c/li\u003e\n\u003cli\u003eUpgrade ApostropheCMS to a version that addresses CVE-2026-45011.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T18:30:11Z","date_published":"2026-05-14T18:30:11Z","id":"https://feed.craftedsignal.io/briefs/2026-05-apostrophe-xss/","summary":"A stored cross-site scripting vulnerability (CVE-2026-45011) was identified in ApostropheCMS image widget functionality, where a user with the Editor role can configure an image widget link to use a javascript: URL payload, which will execute arbitrary JavaScript in the victim’s browser when clicked.","title":"ApostropheCMS Stored XSS via Image Widget Link (CVE-2026-45011)","url":"https://feed.craftedsignal.io/briefs/2026-05-apostrophe-xss/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["apostrophecms \u003c= 4.29.0"],"_cs_severities":["high"],"_cs_tags":["ssrf","apostrophecms","cve-2026-45012"],"_cs_type":"advisory","_cs_vendors":["apostrophe"],"content_html":"\u003cp\u003eApostropheCMS versions 4.29.0 and earlier are vulnerable to an authenticated server-side request forgery (SSRF) vulnerability (CVE-2026-45012) within the rich-text widget import functionality. An authenticated user, possessing the ability to submit or edit rich-text widget content, can manipulate the import process to induce the server to issue requests to arbitrary URLs during widget validation. By injecting a crafted \u003ccode\u003e\u0026lt;img src\u0026gt;\u003c/code\u003e tag within the imported HTML, an attacker can trigger the server to fetch content from a specified URL. If the server receives an image-compatible response, ApostropheCMS may persist and re-host the fetched content, creating a vector for exfiltration of sensitive information. This vulnerability enables attackers to perform internal port scanning and potentially exfiltrate data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker logs into the ApostropheCMS application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious rich-text widget payload containing an \u003ccode\u003eimport.html\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003eimport.html\u003c/code\u003e, the attacker includes an \u003ccode\u003e\u0026lt;img src\u0026gt;\u003c/code\u003e tag pointing to an attacker-controlled URL or internal resource.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the widget payload to the \u003ccode\u003e/api/v1/@apostrophecms/area/validate-widget?aposMode=draft\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe server-side \u003ccode\u003evalidate-widget\u003c/code\u003e route parses the HTML content, identifies the \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tag, and resolves the URL.\u003c/li\u003e\n\u003cli\u003eThe server then performs an HTTP \u003ccode\u003efetch()\u003c/code\u003e request to the resolved URL, as specified in the \u003ccode\u003esrc\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eIf the response is image-compatible, ApostropheCMS attempts to process and store the fetched content as an image asset.\u003c/li\u003e\n\u003cli\u003eThe attacker can then access the re-hosted image through a generated image URL, potentially exfiltrating data. If the response is not an image, the SSRF still occurs and can be used for reconnaissance purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability, tracked as CVE-2026-45012, allows authenticated users with rich-text widget editing privileges to trigger server-side requests to arbitrary URLs. This can enable attackers to scan internal network resources (127.0.0.1, private subnets), perform blind or semi-blind internal port and service discovery, and potentially exfiltrate data by causing the application to store and re-host fetched image content. The vulnerability affects ApostropheCMS versions 4.29.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of ApostropheCMS that addresses the SSRF vulnerability (CVE-2026-45012).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ApostropheCMS SSRF via validate-widget\u003c/code\u003e to detect requests to the vulnerable API endpoint with potentially malicious image URLs.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for HTTP requests to internal or unusual destinations originating from the ApostropheCMS server.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for user-supplied URLs, especially within rich-text widgets, to prevent the injection of malicious URLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T18:27:23Z","date_published":"2026-05-14T18:27:23Z","id":"https://feed.craftedsignal.io/briefs/2026-05-apostrophe-ssrf/","summary":"ApostropheCMS is vulnerable to authenticated server-side request forgery (SSRF) via rich-text widget import; an attacker with edit access can trigger server-side requests to attacker-controlled URLs during widget validation, enabling internal port scanning and potential data exfiltration by re-hosting image-compatible responses.","title":"ApostropheCMS Authenticated SSRF via Rich-Text Widget Import (CVE-2026-45012)","url":"https://feed.craftedsignal.io/briefs/2026-05-apostrophe-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Apostrophecms","version":"https://jsonfeed.org/version/1.1"}