ApostropheCMS 4.30.0: A New release cadence, accessibility improvements, and bug fixes

Release notes for Apostrophe 4.30.0 and extensions that were published in the cycle ending May 13th, 2026.
Bob Means Developer Relations Engineer

Hello Apostrophe Community!

Apostrophe 4.30.0 is a focused maintenance release: bug fixes, accessibility improvements, and security patches with no new features. It is also the first release under our new release model.

A New Release Cadence

Starting with this release, ApostropheCMS ships on a predictable two-track schedule designed to make upgrades safer and more manageable, particularly for teams running production sites with multiple stakeholders.

Monthly maintenance releases focus on bug fixes, security patches, and accessibility improvements. As a strong default, they will not introduce UI changes or new features — so they are generally safe to apply without workflow disruption. Occasionally, when a missing capability constitutes a significant enough gap in the UX that we consider it a bug, we may include a targeted correction. We'll flag those clearly when they occur.

Quarterly feature releases will group related work into coherent, themed sets with advance communication before they ship. The next quarterly release is scheduled for June 10, 2026, with a theme of Developer Activation.

And starting with our June release, the new two-track release plan will allow teams to decide whether to follow our latest releases in production, or receive those one quarter later while continuing to get bug fixes and security fixes in the meantime. This will allow dev teams to more fully evaluate “latest” while production remains on “stable.” We are still finalizing the technical approach for how teams will manage which track they are on, and will share that guidance ahead of the June release. In the meantime, npm update continues to work as it always has.

This model came directly out of feedback from enterprise teams who need to be able to apply a security patch without absorbing an unannounced UI change, and who need enough advance visibility into upcoming features to plan their own work. We think it will benefit teams of all sizes.

 

A new roadmap

As part of our new release cadence, we’ve also shared a clearer roadmap to upcoming quarterly feature releases. As always you can also submit and upvote possible features. Let us know what you think.

Layout Widget: Editor Control Over Gap

Previously, the spacing between items in a layout widget grid could only be set by a developer in module code. Editors can now control it themselves through the styles system, either site-wide via a global layoutGap preset, or per widget via a gap styles field. A new className option also allows developers to attach additional CSS class names to the widget's grid container for more flexible styling. This improvement applies to both standard Nunjucks-based projects and projects using the Astro integration. Note that, as always, developers must explicitly add this feature to their sites if they want it.

Accessibility Improvements

This release includes a focused round of fixes to bring the admin UI into closer compliance with accessibility guidelines, covering ARIA semantics, screen reader support, and labeling across the navigation bar, locale switcher, and admin bar controls. The @apostrophecms-pro/doc-template-library and @apostrophecms-pro/section-template-library modules also received improved tooltip labels.

Security Updates

This release includes six security fixes across apostrophe core, sanitize-html, launder, and @apostrophecms/cli. We encourage all users to upgrade promptly.

This release addresses:

  • XSS vulnerabilities via the xmp tag in sanitize-html, which could pass forbidden markup through the sanitizer even when xmp was not explicitly permitted; via a malicious full name containing HTML executed in the page title tooltip, exposing other users to XSS; and via javascript: URLs in the image widget link field, exploitable by any user with editing privileges including contributors — a database migration is included to strip any such URLs already present
  • Server-side request forgery in the rich text widget's HTML import feature, which could be used to probe internal networks or exfiltrate images from internal hosts. Image imports from external hosts are now opt-in via the new imageImportAllowedHostnames option on @apostrophecms/rich-text-widget. Note that this means you must configure these new options if you are using the API-based HTML import feature with img elements.
  • An email phishing vector in the password reset feature, which could be used to send emails containing links to arbitrary external sites. The password reset feature now requires baseUrl or APOS_BASE_URL to be set before it will operate (this is automatic in multisite projects). This only affects projects with passwordReset: true enabled on the login module
  • Shell injection in @apostrophecms/cli, where passwords or starter kit URLs containing malicious punctuation could be used to run arbitrary shell commands in scripted use

Thanks to Vincenzo Turturro, Muhammad Uwais (two issues), SPIDY, Nitro13urn, Yiğit Şengezer, and Sainithin0309 for reporting these vulnerabilities.

Additional Fixes

  • The layout widget now correctly regains full focus when switching back to Edit content mode
  • Keyboard shortcuts for widget operations (copy, cut, paste, duplicate, remove) no longer intercept the browser's native clipboard behavior when no widget is focused — previously, logged-in users found that selecting and copying text on a page was blocked by the admin UI
  • Illegal HTML id attribute values generated by the admin UI have been corrected
  • A duplicate <meta charset> tag has been removed from outerLayoutBase.html; the charset is now consistently utf-8 (the legacy configuration option is ignored, as utf-8 is the only legal value per spec)
  • Orderable table array items no longer drag the entire floating window
  • apostrophe and oembetter have been updated to remove a number of services that formerly supported oembed for the general public but no longer do so. While there is no active security risk today, removing these eliminates potential XSS attack vectors should those domains ever lapse. Developers can further prune this list using the new minimumAllowlist and minimumEndpoints options on the @apostrophecms/oembed module
  • aposResponse errors are now logged server-side in the Astro process
  • Dependencies in @apostrophecms/cli have been bumped to close vulnerabilities in uuid, fast-xml-parser, and shelljs. The first two were not used in a sensitive or vulnerable way within ApostropheCMS; the shelljs vulnerability would only be exploitable if a developer could be convinced to enter malicious commands as CLI input
  • The xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed. This was fixed by sanitize-html 2.17.4 and a dependency bump to ensure it is used in apostrophe.
  • Manual links in the image-widget were vulnerable to XSS. This was fixed by the use of the url field type, a database migration to clean up any existing XSS, and (for defense in depth) upgrades in launder to ensure it uses the same high-quality URL sanitization employed by sanitize-html.

Community Contributions

We're grateful to the contributors who helped make this release possible. Sainithin0309 flagged the oembed long-term security concern that led to this cycle's cleanup. Harouna Traore contributed the aposResponse error logging improvement to the Astro integration.

 

 

You should upgrade

This release contains important security fixes and we encourage all users to upgrade promptly with npm update. Let us know what you think on our roadmap.

🚀 Happy coding!

Written by Bob Means Developer Relations Engineer

A software developer/data scientist leveraging years of technical writing experience to help other programmers through tutorials and production of technical documentation.

Demo ApostropheCMS
Pricing