Skip to main content

ApostropheCMS EUVD-2026-36576

| CVE-2026-53607 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-12 GitHub_M
Node.js SSRF Apostrophe
3.7
CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.0 MEDIUM

Non-default prettyUrls config justifies AC:H; SSRF probing of other systems justifies S:C; blind response oracle yields C:L with no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 12, 2026 - 21:29 vuln.today

DescriptionCVE.org

ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, when prettyUrls: true is enabled on @apostrophecms/file (a documented SEO feature for serving uploaded files at clean URLs), the public pretty-URL handler builds the upstream URL using the raw Host HTTP request header. That URL is then fetch'ed and the response body + headers are streamed straight back to the requester. Because Host is fully attacker-controlled, an unauthenticated remote attacker can pivot the apostrophe process to issue outbound HTTP requests against any host it can reach on the private network. The path component is constrained to /uploads/attachments/<cuid>-<slug>.<ext> (built from a local-DB lookup), which keeps the impact narrow: cross-instance data exfiltration is neutralized by cuid uniqueness, but blind-SSRF residuals remain (network-topology mapping via response-code / timing differences and verbose proxy/WAF 404 body disclosure). As of time of publication, no known patched versions exist.

AnalysisAI

Server-Side Request Forgery in ApostropheCMS through version 4.30.0 allows unauthenticated remote attackers to pivot the Node.js application process into issuing outbound HTTP requests to arbitrary hosts on the internal network when the prettyUrls SEO feature is explicitly enabled on the @apostrophecms/file module. The attack exploits the raw Host HTTP request header, which the pretty-URL handler uses verbatim to construct and fetch() an upstream URL, streaming the full HTTP response - status code, headers, and body - back to the requester. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate valid attachment cuid/slug from public site content
Delivery
Craft GET request substituting internal-host value in Host header
Exploit
Submit to public pretty-URL file endpoint
Execution
ApostropheCMS constructs and fetches internal URL via Node.js fetch()
Persist
Receive HTTP response oracle (status codes, headers, body)
Impact
Map reachable internal services and network topology
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the `prettyUrls: true` option to be explicitly enabled on the `@apostrophecms/file` module - this is a non-default, administrator-configured SEO feature that must be deliberately activated, which is captured by AC:H in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) accurately reflects the non-default trigger condition via AC:H and the constrained blind-SSRF impact via C:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a publicly accessible ApostropheCMS instance with `prettyUrls` enabled and enumerates a valid attachment cuid and slug from the site's public content. The attacker sends a GET request to the corresponding pretty-URL path (e.g., `/uploads/attachments/<cuid>-<slug>.jpg`) with the `Host` header replaced by an internal target such as `169.254.169.254` (cloud IMDS) or `internal-api:8080`. …
Remediation No vendor-released patch has been identified at time of analysis; GitHub Security Advisory GHSA-34pj-2622-jvxq (https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-34pj-2622-jvxq) should be monitored closely for a fix release. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53633 CRITICAL
9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
CVE-2026-48714 CRITICAL
9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
CVE-2026-53609 CRITICAL
9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
CVE-2026-48054 HIGH
8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied
CVE-2026-53608 HIGH
8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

Share

EUVD-2026-36576 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy