Apostrophe

ApostropheCMS is vulnerable to account takeover due to a weak password recovery mechanism; the password reset flow constructs the reset URL using `req.hostname`, derived from the attacker-controlled HTTP `Host` header when `apos.baseUrl` is not explicitly configured, enabling account takeover if the victim clicks a malicious password reset link.

A stored cross-site scripting vulnerability (CVE-2026-45011) was identified in ApostropheCMS image widget functionality, where a user with the Editor role can configure an image widget link to use a javascript: URL payload, which will execute arbitrary JavaScript in the victim’s browser when clicked.

ApostropheCMS is vulnerable to authenticated server-side request forgery (SSRF) via rich-text widget import; an attacker with edit access can trigger server-side requests to attacker-controlled URLs during widget validation, enabling internal port scanning and potential data exfiltration by re-hosting image-compatible responses.