VYPR
advisoryPublished Jun 12, 2026· Updated Jun 14, 2026· 1 source

ApostropheCMS: Nine CVEs Disclosed in Single-Day Batch Including Two Critical Flaws

Key findings • Two critical CVEs: prototype pollution (9.1) and sanitize-html bypass (9.3) • Four high-severity bugs include stored XSS, SSRF, and host-header injection • Password reset f…

Key findings

  • Two critical CVEs: prototype pollution (9.1) and sanitize-html bypass (9.3)
  • Four high-severity bugs include stored XSS, SSRF, and host-header injection
  • Password reset flow uses attacker-controlled Host header when baseUrl is unset
  • CLI tool (apos create) embeds password input directly into shell commands
  • Three CVEs had no patch available at disclosure time
  • Companion packages (@apostrophecms/seo, @apostrophecms/cli) also affected

On June 12, 2026, the ApostropheCMS security team disclosed nine vulnerabilities affecting the open-source Node.js content management system and several of its companion packages. The batch spans critical prototype pollution, high-severity XSS and SSRF flaws, a command injection in the CLI tool, and a dangerous sanitize-html bypass — making it one of the most consequential coordinated disclosures for the Apostrophe ecosystem to date.

Prototype Pollution at the Core

The most severe issue, CVE-2026-53609 (CVSS 9.1), resides in the core apos.util.set() function. In ApostropheCMS versions up to and including 4.30.0, the method traverses dot-notation paths without sanitizing __proto__, allowing an authenticated editor to write arbitrary values to Object.prototype via the $pullAll patch operator. A confirmed gadget chain exists, elevating this from a theoretical pollution vector to a practical exploit. A second critical flaw, CVE-2026-44990 (CVSS 9.3), is actually a vulnerability in the sanitize-html library (versions prior to 2.17.4) that ApostropheCMS depends on. Under default configuration, attacker-controlled content inside a disallowed <xmp> element can be turned into live HTML or JavaScript, effectively bypassing the sanitizer entirely.

Stored XSS and SSRF in Rich-Content Widgets

Three high-severity bugs target the rich-text and image widget flows. CVE-2026-45011 (CVSS 7.3) is a stored XSS in the image widget: an Editor can configure an image widget link to use a javascript: URL payload, and because editors have permission to publish pages, the malicious link becomes visible to site visitors. CVE-2026-45014 (CVSS Medium) is a stored XSS via unsanitized user display names in the draft version tooltip, affecting versions up to 4.29.0. CVE-2026-45012 (CVSS 7.6) is an authenticated server-side request forgery (SSRF) in the rich-text widget import flow — any authenticated user who can submit or edit rich-text content can cause the server to fetch attacker-controlled URLs.

Host Header Injection and Password Reset Hijacking

CVE-2026-45013 (CVSS 8.1) exposes a dangerous pattern in the password reset flow. When apos.baseUrl is not explicitly configured, the reset URL is constructed using req.hostname, which is derived directly from the attacker-controlled HTTP Host header. An unauthenticated attacker can craft a password reset link that points to their own server, potentially intercepting the reset token. A related host-header issue, CVE-2026-53607 (CVSS 3.7), affects the @apostrophecms/file module when prettyUrls: true is enabled — the public pretty-URL handler builds upstream URLs using the raw Host header, enabling cache poisoning or open-redirect scenarios.

Third-Party Package Flaws: SEO and CLI

Two vulnerabilities live in companion packages rather than the core CMS. CVE-2026-53608 (CVSS 8.7) affects the @apostrophecms/seo package up to version 1.4.2. The Google Analytics Tracking ID and Google Tag Manager ID are injected directly into <script> tag bodies using JavaScript template literals without sanitization, allowing stored XSS when an editor with access to the SEO settings panel supplies a malicious ID. CVE-2026-42853 (CVSS 6.5) is a command injection in the @apostrophecms/cli package up to version 3.6.0: user-supplied input from the password prompt in the apos create command is embedded directly into a shell command without proper sanitization.

Patch Status and Mitigations

As of the disclosure date, patched versions are available for several of the reported CVEs. The prototype pollution (CVE-2026-53609) and host-header issues (CVE-2026-53607) are fixed in ApostropheCMS 4.30.1. The sanitize-html library vulnerability (CVE-2026-44990) is resolved in version 2.17.4. The SEO package XSS (CVE-2026-53608) is patched in @apostrophecms/seo 1.4.3, and the CLI command injection (CVE-2026-42853) is fixed in @apostrophecms/cli 3.6.1. However, for three of the bugs — the stored XSS in the draft version tooltip (CVE-2026-45014), the password reset host-header injection (CVE-2026-45013), the SSRF in rich-text import (CVE-2026-45012), and the image widget XSS (CVE-2026-45011) — no patched versions were available at the time of publication. Administrators of affected sites should review their apos.baseUrl configuration, disable prettyUrls on file widgets if not needed, and restrict editor-level access to SEO and CLI tools until patches are applied.

What This Batch Means for ApostropheCMS Users

This coordinated disclosure is notable not only for the sheer number of CVEs (nine) but for the breadth of attack surfaces they cover: core prototype pollution, third-party library sanitizer bypass, host-header injection, SSRF, stored XSS across multiple widget types, and command injection in the developer CLI. The presence of two critical-severity flaws and four high-severity bugs means that nearly every deployment of ApostropheCMS — from small sites to enterprise installations — is affected by at least one of these issues. Users should prioritize upgrading core to 4.30.1 and the companion packages to their patched versions, and monitor the project's advisory page for patches on the remaining unfixed CVEs.

Synthesized by Vypr AI