Security Advisory - Published 2026-06-13 - ApostropheCMS
ApostropheCMS June 2026 CVEs: reset links, SSRF paths, and sanitizer checks
ApostropheCMS sites should check both application configuration and package versions. The important owner-side question is whether password reset links, rich-text import, image widgets, SEO tracking fields, piece-type REST API endpoints, or uploaded-file pretty URLs are exposed to untrusted users or low-trust editors.
Fast checks
npm ls apostrophe sanitize-html @apostrophecms/seo
grep -Rni "baseUrl\\|prettyUrls\\|@apostrophecms/file\\|@apostrophecms/seo\\|sanitize-html" app.js modules package.json package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null
Set an explicit trusted apos.baseUrl where the app sends password reset
links. Review whether editors can publish image widgets, import remote rich-text
content, edit SEO tracking IDs, call piece APIs, or manage uploaded files.
What to review
- CVE-2026-44990: update sanitize-html to 2.17.4 or later where Apostrophe or custom code uses it.
- CVE-2026-45013: confirm password reset links are built from a trusted base URL, not a request Host header.
- CVE-2026-45012 / 53607: restrict outbound fetch behavior and review proxy or internal-network access from the app host.
- CVE-2026-45011: review image widgets created by editor accounts and remove unexpected JavaScript-style links.
- CVE-2026-53608: review
@apostrophecms/seoGoogle Analytics and Tag Manager fields. Remove unexpected values before viewing public pages as an administrator. - CVE-2026-53609: review ApostropheCMS versions through 4.30.0, editor permissions, piece-type REST API access, and recent editor patch activity.
Safe fix path
- Apply the vendor patch when available and update sanitize-html to 2.17.4 or later.
- Set a trusted production base URL and block untrusted Host headers at the reverse proxy.
- Temporarily restrict editor publishing, SEO field editing, REST API access, and remote import features if exposure is unclear.
- Restart the Node.js process after mitigation so any process-lifetime polluted state is cleared.
- Review password reset events, editor activity, outbound request logs, and unexpected public API responses.
Ping7 repair path
Ping7 can review ApostropheCMS package versions, reset-link configuration, editor activity, SEO fields, REST API exposure, and reverse-proxy headers. Use CVE Repair if the site has public login, multiple editors, or sensitive internal services reachable from the CMS host.