CVE-2026-45014

Vulnerability

ApostropheCMS versions up to and including 4.29.0 contain a stored cross-site scripting vulnerability in the draft version tooltip. When a user with a crafted display name hovers over a draft version indicator, the unsanitized display name is rendered directly in the tooltip, allowing arbitrary JavaScript execution. The tooltip is part of the administrative interface and is accessible to authenticated users. [1]

Exploitation

An attacker must be an authenticated user with the ability to set their display name (e.g., via profile editing). The attacker modifies their display name to include a malicious JavaScript payload. When another authenticated user hovers over the draft version tooltip associated with the attacker's content, the payload executes in the victim's browser context. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of other authenticated users viewing the tooltip. This can lead to session theft, unauthorized actions on behalf of the victim, or data exfiltration. The impact depends on the victim's privileges, potentially including admin-level compromise. [1]

Mitigation

As of the publication date, no patched version of ApostropheCMS is available. Administrators may consider restricting the ability for users to set display names, or implementing server-side sanitization of display name input as a workaround. The vendor has not yet released a fix. [1]