CVE-2026-53608
Deferred Deferred - Pending Action

Stored XSS in ApostropheCMS SEO Package

Vulnerability report for CVE-2026-53608, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the `@apostrophecms/seo` package injects the Google Analytics Tracking ID (`seoGoogleTrackingId`) and Google Tag Manager ID (`seoGoogleTagManager`) directly into `<script>` tag bodies using JavaScript template literals without any sanitization or validation. Any user with editor-level access (the default role for content managers) can set these fields to a malicious value, resulting in stored XSS that executes on every page for every visitor of the site. As of time of publication, no known patched versions are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-15
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-02
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms seo to 1.4.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in ApostropheCMS, specifically in versions up to and including 1.4.2 of the @apostrophecms/seo package. It involves the injection of Google Analytics Tracking ID and Google Tag Manager ID directly into <script> tag bodies using JavaScript template literals without any sanitization or validation.

Because of this, any user with editor-level access (the default role for content managers) can insert malicious values into these fields. This results in stored cross-site scripting (XSS) attacks that execute on every page for every visitor of the site.

No patched versions are known to be available at the time of publication.

Impact Analysis

This vulnerability can have serious impacts because it allows stored cross-site scripting (XSS) attacks to be executed on every page for every visitor of the affected site.

  • Attackers with editor-level access can inject malicious scripts that run in the browsers of all site visitors.
  • This can lead to theft of sensitive information such as cookies, session tokens, or other private data.
  • It can also be used to perform actions on behalf of users without their consent, potentially compromising user accounts.
  • The vulnerability has a high CVSS score of 8.7, indicating a high severity with network attack vector, low attack complexity, and high impact on confidentiality and integrity.
Mitigation Strategies

Since no patched versions are currently available, immediate mitigation involves restricting editor-level access to trusted users only, as any user with editor-level access can inject malicious values into the Google Analytics Tracking ID and Google Tag Manager ID fields.

Additionally, consider implementing web application firewall (WAF) rules to detect and block suspicious script injections and monitor your site for unusual script behavior.

Review and sanitize any user input fields related to these tracking IDs manually if possible, and avoid using the vulnerable versions of the @apostrophecms/seo package until a patch is released.

Compliance Impact

The vulnerability allows stored cross-site scripting (XSS) via injection of malicious Google Analytics or Google Tag Manager IDs by users with editor-level access. This can lead to unauthorized script execution on every page for every visitor, potentially exposing sensitive user data or enabling further attacks.

Such unauthorized script execution and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and ensuring secure handling of user information.

However, the provided information does not explicitly detail the compliance impact or mitigation measures related to these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53608. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart