CVE 8.7 HIGH

@apostrophecms/seo Vulnerable to Stored XSS via Unsanitized Google Analytics / GTM ID Injected into Script Tag_CVE-2026-53608

June 12, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Description

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the `@apostrophecms/seo` package injects the Google Analytics Tracking ID (`seoGoogleTrackingId`) and Google Tag Manager ID (`seoGoogleTagManager`) directly into `<script>` tag bodies using JavaScript template literals without any sanitization or validation. Any user with editor-level access (the default role for content managers) can set these fields to a malicious value, resulting in stored XSS that executes on every page for every visitor of the site. As of time of publication, no known patched versions are available.

AI Analysis

Stored XSS vulnerability in @apostrophecms/seo package due to unsanitized Google Analytics and Google Tag Manager IDs

Basic Information

ID CVE-2026-53608

Source GitHub_M

Published Jun 12, 2026 at 20:57

Affected Product

Vendor apostrophecms

Product @apostrophecms/seo

Version <= 1.4.2

Affected Versions apostrophecms @apostrophecms/seo <= 1.4.2

CWE Classification

CWE-79

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor ApostropheCMS

Product @apostrophecms/seo

Version <= 1.4.2

References

github.com /apostrophecms/apostrophe/security/advisories/GHSA-wf43-fpp3-cf65

{
    "lastseen": "",
    "description": "ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the `@apostrophecms/seo` package injects the Google Analytics Tracking ID (`seoGoogleTrackingId`) and Google Tag Manager ID (`seoGoogleTagManager`) directly into `<script>` tag bodies using JavaScript template literals without any sanitization or validation. Any user with editor-level access (the default role for content managers) can set these fields to a malicious value, resulting in stored XSS that executes on every page for every visitor of the site. As of time of publication, no known patched versions are available.",
    "published": "2026-06-12T20:57:48.913Z",
    "modified": "2026-06-12T20:57:48.913Z",
    "type": "cve",
    "title": "@apostrophecms/seo Vulnerable to Stored XSS via Unsanitized Google Analytics / GTM ID Injected into Script Tag",
    "source": "GitHub_M",
    "references": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-wf43-fpp3-cf65",
    "id": "CVE-2026-53608",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "apostrophecms @apostrophecms/seo <= 1.4.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "@apostrophecms/seo",
    "version": "<= 1.4.2",
    "vendor": "apostrophecms",
    "ai_description": "Stored XSS vulnerability in @apostrophecms/seo package due to unsanitized Google Analytics and Google Tag Manager IDs",
    "ai_severity": "High",
    "ai_vendor": "ApostropheCMS",
    "ai_product": "@apostrophecms/seo",
    "ai_version": "<= 1.4.2",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply