How is CVE-2026-45011 exploited?

Network reachability (required): The affected ApostropheCMS instance must be reachable over the network; the attacker crafts the payload through the CMS interface and the victim triggers it via a browser request to the published page. Authentication (required): The attacker needs a valid Editor-level account to configure and publish the malicious image widget; any low-privilege account assigned the Editor role is sufficient. Victim interaction (required): A victim, such as a site visitor or administrator, must click the affected image link in their browser to trigger JavaScript execution. Attack complexity (info): Attack complexity is low, meaning the exploit is straightforward and condition-free once the attacker has Editor access and the page is published.

What is the impact of CVE-2026-45011?

Reads session cookies and authentication tokens belonging to the victim, which can be used to hijack the victim's session including admin sessions. Exfiltrates any sensitive data visible in the victim's browser context at the time of the click, such as draft content, user profile data, or API responses rendered on the page. Executes arbitrary actions in the CMS on behalf of the victim, including modifying or publishing content, if the victim holds elevated privileges.

Back to search

HIGHCVE-2026-45011Published 2026-06-12Modified 2026-06-15CNA GitHub_M

CVE-2026-45011: Apostrophe has stored XSS via javascript: URL in Image Widget Link

ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the live site. When another user, including an administrator or public visitor, clicks the affected image/link, arbitrary JavaScript executes in the victim’s browser. As of time of publication, no known patched versions are available.

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) affects ApostropheCMS version 4.29.0 via the image widget link field. An authenticated user with Editor-level access can set a javascript: URL as the link target on an image widget and publish it to the live site; when any visitor or administrator clicks that image, arbitrary JavaScript runs in their browser. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-45011 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle apostrophecms/apostrophe at version 4.29.0.

Available

Triage

Triage is available with a CVSS v3.1 score of 7.3 (HIGH) applied to each matched image, weighted against the per-environment compliance policy of the customer org and routed to the appropriate team inbox for review.

Available

Patch

Because no upstream fix version has been published as of this writing, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainers ship a corrected release. Customers with auto-remediation enabled will receive the rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The affected ApostropheCMS instance must be reachable over the network; the attacker crafts the payload through the CMS interface and the victim triggers it via a browser request to the published page.
AuthenticationRequired
The attacker needs a valid Editor-level account to configure and publish the malicious image widget; any low-privilege account assigned the Editor role is sufficient.
Victim interactionRequired
A victim, such as a site visitor or administrator, must click the affected image link in their browser to trigger JavaScript execution.
Attack complexityDetail
Attack complexity is low, meaning the exploit is straightforward and condition-free once the attacker has Editor access and the page is published.

Blast Radius

Reads session cookies and authentication tokens belonging to the victim, which can be used to hijack the victim's session including admin sessions.
Exfiltrates any sensitive data visible in the victim's browser context at the time of the click, such as draft content, user profile data, or API responses rendered on the page.
Executes arbitrary actions in the CMS on behalf of the victim, including modifying or publishing content, if the victim holds elevated privileges.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-45011 runs continuously against all registered images, including custom images that package ApostropheCMS. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a rebuilt image available automatically once the maintainers publish a fix. For customers with auto-remediation enabled, that rebuild triggers a regression-test run and a PR opened against affected workloads with no manual steps required. In the interim, compensating controls worth considering include restricting the Editor role to fully trusted users only, applying a Content Security Policy header that blocks javascript: URI navigation, and using network-policy rules to limit which users can reach the CMS authoring interface. HarborGuard will surface the patch availability alert as soon as the upstream advisory is updated.

See how HarborGuard automates this

Affected packages

apostrophecms / apostrophe
= 4.29.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

References

Metrics

Get notified