CVE Catalog

CVE-2026-53608

HighCVSS 8.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile - higher than 10% of all known CVEs

Summary

ApostropheCMS versions up to 1.4.2 of the `@apostrophecms/seo` package injects Google Analytics and Google Tag Manager IDs without proper sanitization. Users with editor-level access can set these fields to malicious values, leading to stored XSS attacks.

Risk Assessment

An attacker can exploit this vulnerability to inject malicious JavaScript code, jeopardizing user data security and site integrity. Every visitor to the site may be at risk.

Recommendation

It is recommended to update to the latest version of the `@apostrophecms/seo` package and implement additional input sanitization mechanisms. Monitoring and restricting editor access may also help mitigate the risk.

Original NVD description (English source)

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the `@apostrophecms/seo` package injects the Google Analytics Tracking ID (`seoGoogleTrackingId`) and Google Tag Manager ID (`seoGoogleTagManager`) directly into `<script>` tag bodies using JavaScript template literals without any sanitization or validation. Any user with editor-level access (the default role for content managers) can set these fields to a malicious value, resulting in stored XSS that executes on every page for every visitor of the site. As of time of publication, no known patched versions are available.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS