CVE-2026-53607
LowCVSS 3.7Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
ApostropheCMS is a Node.js content management system that has a vulnerability related to `prettyUrls` in versions up to 4.30.0. When this option is enabled, an attacker can exploit the `Host` header to send HTTP requests to any host on the private network.
Risk Assessment
This vulnerability allows unauthorized HTTP requests, potentially leading to data leakage or network topology mapping. While the risk of cross-instance data exfiltration is limited, the residual effects can be serious.
Recommendation
It is recommended to disable the `prettyUrls` option in `@apostrophecms/file` until a patch is released. Also, monitor for available updates to install fixes when they become available.
Original NVD description (English source)
ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, when `prettyUrls: true` is enabled on `@apostrophecms/file` (a documented SEO feature for serving uploaded files at clean URLs), the public pretty-URL handler builds the upstream URL using the raw `Host` HTTP request header. That URL is then `fetch`'ed and the response body + headers are streamed straight back to the requester. Because `Host` is fully attacker-controlled, an unauthenticated remote attacker can pivot the apostrophe process to issue outbound HTTP requests against any host it can reach on the private network. The path component is constrained to `/uploads/attachments/<cuid>-<slug>.<ext>` (built from a local-DB lookup), which keeps the impact narrow: cross-instance data exfiltration is neutralized by cuid uniqueness, but blind-SSRF residuals remain (network-topology mapping via response-code / timing differences and verbose proxy/WAF 404 body disclosure). As of time of publication, no known patched versions exist.

