Apostrophe Vulnerable to Stored Cross-Site Scripting via Unsanitized User Display Name in Draft Version Tooltip
CVE-2026-45014

5.3MEDIUM

Key Information:

Vendor: Apostrophecms
Status: Apostrophe
Vendor: CVE Published:; 12 June 2026

🔔 Create Apostrophecms Vulnerability Alert

What is CVE-2026-45014?

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 are vulnerable to stored cross-site scripting via unsanitized user display name in draft version tooltip. As of time of publication, no known patched versions are available.

Affected Version(s)

apostrophe <= 4.29.0

References

https://github.com/apostrophecms/apostrophe/security/advi...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45014 Data

JSON