2 matches found
CVE-2026-45011 Apostrophe has stored XSS via javascript: URL in Image Widget Link
ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to...
Improper Encoding or Escaping of Output
Overview launder is an A sanitize module for the people. Built for ApostropheCMS. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the linkHref field handling. An attacker can execute arbitrary JavaScript by supplying a javascript: URL in an image...