CVE-2026-45012

Summary

Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget

Severity

high

EPSS

0.2% (p8)

Also known as

GHSA-pr28-mf3q-qpg6

Published

2026-05-14

References

• https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-pr28-mf3q-qpg6
• https://nvd.nist.gov/vuln/detail/CVE-2026-45012
• https://github.com/apostrophecms/apostrophe

Related advisories

• CVE-2026-45013 — high · npm/apostrophe
• CVE-2026-35569 — high · npm/apostrophe
• CVE-2026-39857 — medium · npm/apostrophe
• CVE-2026-33889 — medium · npm/apostrophe
• CVE-2026-33888 — medium · npm/apostrophe

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity