CVE-2026-45012 HIGH

CVE-2026-45012: Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget

Vendor Apostrophecms
Product apostrophe
Weakness CWE-918 · SSRF
Published June 12, 2026
Last update June 15, 2026
View on NVD All CVEs

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 contain an authenticated server-side request forgery (SSRF) in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget validation. For image-compatible responses, the fetched content can be persisted and re-hosted by Apostrophe, allowing response exfiltration. As of time of publication, no known patched versions are available.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 15, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-11913 Activity Plus Reloaded for BuddyPress <= 1.1.1 - Authenticated (Subscriber+) Blind Server-Side Request Forgery CVE-2025-49374 WordPress Captcha.eu plugin <= 1.0.61 - Server Side Request Forgery (SSRF) vulnerability CVE-2025-46568 Stirling-PDF Server-Side Request Forgery (SSRF)-Induced Arbitrary File Read Vulnerability CVE-2026-20958 Microsoft SharePoint Information Disclosure Vulnerability CVE-2025-2940 Ninja Tables – Easy Data Table Builder <= 5.0.18 - Unauthenticated Server-Side Request Forgery