CVE-2026-45013 Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation

🗓️ 12 Jun 2026 20:46:21Reported by GitHub_MType

CVE-2026-45013: ApostropheCMS reset links rely on host header, enabling token leakage and account takeover.

Reporter	Title	Published	Views	Family All 10
CVE	CVE-2026-45013	12 Jun 202620:46	–	cve
EUVD	EUVD-2026-36571	12 Jun 202620:46	–	euvd
Github Security Blog	Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation	14 May 202618:27	–	github
NVD	CVE-2026-45013	12 Jun 202621:16	–	nvd
OSV	GHSA-GF43-24G3-5HW2 Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation	14 May 202618:27	–	osv
Patchstack	NPM: Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation	14 May 202618:27	–	patchstack
Positive Technologies	PT-2026-41155	14 May 202600:00	–	ptsecurity
Snyk	Weak Password Recovery Mechanism for Forgotten Password	14 May 202618:27	–	snyk
vulnersOsv	@draadnl/openstad-cms (>=0.12.2 <=0.12.3), apostrophe-personas (>=2.0.0 <=2.2.1) +3 more potentially affected by CVE-2026-45013 via apostrophe (>=0.5.393 <=2.227.12)	14 May 202618:27	–	vulnersosv
Vulnrichment	CVE-2026-45013 Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation	12 Jun 202620:46	–	vulnrichment

[
  {
    "vendor": "apostrophecms",
    "product": "apostrophe",
    "versions": [
      {
        "version": "<= 4.29.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/apostrophecms/apostrophe/security/advisories/GHSA-gf43-24g3-5hw2

12 Jun 2026 20:46Current

CVSS 3.18.1

EPSS0.0014