Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation
- Severity:
- High
Description
ApostropheCMS’s password reset flow constructs the reset URL using req.hostname, which is derived directly from the attacker-controlled HTTP Host header when apos.baseUrl is not explicitly configured.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 4.29.0
References
Related Issues
- jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755
- Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
- Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input - CVE-2026-33891
- ejs vulnerable to DoS due to weak input validation - CVE-2017-1000189
You might also like:
- Tags:
- npm
- apostrophe
Anything's wrong? Let us know Last updated on May 19, 2026


