CVE-2026-45011

Name of the Vulnerable Software and Affected Versions ApostropheCMS version 4.29.0

Description A stored cross-site scripting issue exists in the image widget functionality. A user with the Editor or Contributor role can configure an image widget link using a javascript: URL payload. Since editors can publish pages, the malicious widget can be made live. When a user, such as an administrator or a public visitor, clicks the affected image link, arbitrary JavaScript executes in their browser. This can lead to unauthorized actions in the context of an authenticated administrator, access to sensitive CMS information, modification of page content, or phishing attacks.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Validate and sanitize all user-supplied URLs in widget link fields by rejecting dangerous schemes like javascript: and data:, allowing only safe protocols such as http:, https:, mailto:, and relative URLs. Normalize and validate URLs server-side before storage and encode rendered URLs safely in templates. Apply a strict Content Security Policy to reduce the impact of cross-site scripting.