CVE-2026-53608 HIGH

CVE-2026-53608: @apostrophecms/seo Vulnerable to Stored XSS via Unsanitized Google Analytics / GTM ID Injected into Script Tag

Vendor Apostrophecms
Product @apostrophecms/seo
Weakness CWE-79 · XSS
Published June 12, 2026
Last update June 15, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the `@apostrophecms/seo` package injects the Google Analytics Tracking ID (`seoGoogleTrackingId`) and Google Tag Manager ID (`seoGoogleTagManager`) directly into `<script>` tag bodies using JavaScript template literals without any sanitization or validation. Any user with editor-level access (the default role for content managers) can set these fields to a malicious value, resulting in stored XSS that executes on every page for every visitor of the site. As of time of publication, no known patched versions are available.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 15, 2026 Record updated