CVE-2026-45012

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.29.1

Description An authenticated server-side request forgery (SSRF) exists in the rich-text widget import flow. An authenticated user with permissions to submit or edit rich-text widget content can force the server to fetch attacker-controlled URLs during widget validation. This occurs when the backend accepts a widget payload containing import.html, parses <img> tags, and performs a server-side fetch() on the resolved URL. If the response is image-compatible, the content is persisted and re-hosted by the system, allowing for response exfiltration. This issue can also be used for blind or semi-blind internal port and service discovery. The issue is reachable via the endpoint "/api/v1/@apostrophecms/area/validate-widget?aposMode=draft" using the import.html and baseUrl variables.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.