Security Advisory - Published 2026-06-13 - ApostropheCMS

ApostropheCMS June 2026 CVEs: reset links, SSRF paths, and sanitizer checks

ApostropheCMS sites should check both application configuration and package versions. The important owner-side question is whether password reset links, rich-text import, image widgets, SEO tracking fields, piece-type REST API endpoints, or uploaded-file pretty URLs are exposed to untrusted users or low-trust editors.

Defensive scope: this guide avoids payloads. It covers config review, package checks, content audit, and temporary mitigations for sites you own or manage.

Fast checks

npm ls apostrophe sanitize-html @apostrophecms/seo
grep -Rni "baseUrl\\|prettyUrls\\|@apostrophecms/file\\|@apostrophecms/seo\\|sanitize-html" app.js modules package.json package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null

Set an explicit trusted apos.baseUrl where the app sends password reset links. Review whether editors can publish image widgets, import remote rich-text content, edit SEO tracking IDs, call piece APIs, or manage uploaded files.

What to review

  • CVE-2026-44990: update sanitize-html to 2.17.4 or later where Apostrophe or custom code uses it.
  • CVE-2026-45013: confirm password reset links are built from a trusted base URL, not a request Host header.
  • CVE-2026-45012 / 53607: restrict outbound fetch behavior and review proxy or internal-network access from the app host.
  • CVE-2026-45011: review image widgets created by editor accounts and remove unexpected JavaScript-style links.
  • CVE-2026-53608: review @apostrophecms/seo Google Analytics and Tag Manager fields. Remove unexpected values before viewing public pages as an administrator.
  • CVE-2026-53609: review ApostropheCMS versions through 4.30.0, editor permissions, piece-type REST API access, and recent editor patch activity.

Safe fix path

  1. Apply the vendor patch when available and update sanitize-html to 2.17.4 or later.
  2. Set a trusted production base URL and block untrusted Host headers at the reverse proxy.
  3. Temporarily restrict editor publishing, SEO field editing, REST API access, and remote import features if exposure is unclear.
  4. Restart the Node.js process after mitigation so any process-lifetime polluted state is cleared.
  5. Review password reset events, editor activity, outbound request logs, and unexpected public API responses.

Ping7 repair path

Ping7 can review ApostropheCMS package versions, reset-link configuration, editor activity, SEO fields, REST API exposure, and reverse-proxy headers. Use CVE Repair if the site has public login, multiple editors, or sensitive internal services reachable from the CMS host.

References