CVE-2026-53608
Received Received - Intake
Stored XSS in ApostropheCMS SEO Package

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the `@apostrophecms/seo` package injects the Google Analytics Tracking ID (`seoGoogleTrackingId`) and Google Tag Manager ID (`seoGoogleTagManager`) directly into `<script>` tag bodies using JavaScript template literals without any sanitization or validation. Any user with editor-level access (the default role for content managers) can set these fields to a malicious value, resulting in stored XSS that executes on every page for every visitor of the site. As of time of publication, no known patched versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-53608
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms seo to 1.4.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Since no patched versions are currently available, immediate mitigation involves restricting editor-level access to trusted users only, as any user with editor-level access can inject malicious values into the Google Analytics Tracking ID and Google Tag Manager ID fields.

Additionally, consider implementing web application firewall (WAF) rules to detect and block suspicious script injections and monitor your site for unusual script behavior.

Review and sanitize any user input fields related to these tracking IDs manually if possible, and avoid using the vulnerable versions of the @apostrophecms/seo package until a patch is released.

Executive Summary

This vulnerability exists in ApostropheCMS, specifically in versions up to and including 1.4.2 of the @apostrophecms/seo package. It involves the injection of Google Analytics Tracking ID and Google Tag Manager ID directly into <script> tag bodies using JavaScript template literals without any sanitization or validation.

Because of this, any user with editor-level access (the default role for content managers) can insert malicious values into these fields. This results in stored cross-site scripting (XSS) attacks that execute on every page for every visitor of the site.

No patched versions are known to be available at the time of publication.

Impact Analysis

This vulnerability can have serious impacts because it allows stored cross-site scripting (XSS) attacks to be executed on every page for every visitor of the affected site.

  • Attackers with editor-level access can inject malicious scripts that run in the browsers of all site visitors.
  • This can lead to theft of sensitive information such as cookies, session tokens, or other private data.
  • It can also be used to perform actions on behalf of users without their consent, potentially compromising user accounts.
  • The vulnerability has a high CVSS score of 8.7, indicating a high severity with network attack vector, low attack complexity, and high impact on confidentiality and integrity.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53608. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart