{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45011/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["apostrophecms (= 4.29.0)"],"_cs_severities":["high"],"_cs_tags":["xss","apostrophecms","cve-2026-45011","javascript"],"_cs_type":"advisory","_cs_vendors":["Apostrophe"],"content_html":"\u003cp\u003eA stored cross-site scripting (XSS) vulnerability exists within the image widget functionality of ApostropheCMS version 4.29.0. An attacker with Editor privileges can inject malicious JavaScript code by configuring an image widget\u0026rsquo;s link field with a \u003ccode\u003ejavascript:\u003c/code\u003e URL. This vulnerability allows the attacker to execute arbitrary JavaScript code in the browsers of other users who interact with the compromised image link, including administrators and public visitors. The vulnerability is identified as CVE-2026-45011.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker logs into ApostropheCMS with Editor privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the home page and enables edit mode.\u003c/li\u003e\n\u003cli\u003eThe attacker adds an Image widget to the main content area.\u003c/li\u003e\n\u003cli\u003eThe attacker selects an existing image from the media library.\u003c/li\u003e\n\u003cli\u003eThe attacker opens the image widget settings.\u003c/li\u003e\n\u003cli\u003eIn the \u0026ldquo;Link to\u0026rdquo; field, the attacker selects the \u0026ldquo;URL\u0026rdquo; option.\u003c/li\u003e\n\u003cli\u003eIn the URL field, the attacker enters a malicious \u003ccode\u003ejavascript:\u003c/code\u003e payload (e.g., \u003ccode\u003ejavascript:alert(document.domain)\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker saves the widget and updates the page, publishing the malicious content.\u003c/li\u003e\n\u003cli\u003eA victim (administrator or guest) visits the published page and clicks on the linked image.\u003c/li\u003e\n\u003cli\u003eThe JavaScript payload executes in the victim\u0026rsquo;s browser, potentially allowing the attacker to perform actions on their behalf.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker with Editor privileges to store a malicious JavaScript payload in a published page within ApostropheCMS. When other users, including administrators or public visitors, click on the affected image link, the injected JavaScript executes in their browsers. This can lead to account compromise, access to sensitive data, modification of content, phishing attacks, and overall compromise of visitors who interact with the malicious image link.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cp\u003ePrioritize the following actions to mitigate this XSS vulnerability:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the vendor\u0026rsquo;s recommended URL validation and sanitization for widget link fields to reject dangerous schemes like \u003ccode\u003ejavascript:\u003c/code\u003e and \u003ccode\u003edata:\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ApostropheCMS XSS via Javascript URL\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider implementing a strict Content Security Policy (CSP) to limit the impact of potential XSS vulnerabilities.\u003c/li\u003e\n\u003cli\u003eUpgrade ApostropheCMS to a version that addresses CVE-2026-45011.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T18:30:11Z","date_published":"2026-05-14T18:30:11Z","id":"https://feed.craftedsignal.io/briefs/2026-05-apostrophe-xss/","summary":"A stored cross-site scripting vulnerability (CVE-2026-45011) was identified in ApostropheCMS image widget functionality, where a user with the Editor role can configure an image widget link to use a javascript: URL payload, which will execute arbitrary JavaScript in the victim’s browser when clicked.","title":"ApostropheCMS Stored XSS via Image Widget Link (CVE-2026-45011)","url":"https://feed.craftedsignal.io/briefs/2026-05-apostrophe-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-45011","version":"https://jsonfeed.org/version/1.1"}