Description
A stored cross-site scripting vulnerability was identified in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload.
Because editors have permission to publish pages, the malicious widget can be published to the live site.
Recommendation
No fix is available yet. Followings are affected versions:
- = 4.29.0
References
Related Issues
- Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` - CVE-2026-44990
- ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context - CVE-2026-33889
- SCEditor has DOM XSS via emoticon URL/HTML injection - CVE-2026-25581
- HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft - CVE-2026-46496
You might also like:
- Tags:
- npm
- apostrophe
Anything's wrong? Let us know Last updated on May 14, 2026