CVE-2026-53608

Source
https://cve.org/CVERecord?id=CVE-2026-53608
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53608.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53608
Aliases
  • GHSA-wf43-fpp3-cf65
Published
2026-06-12T20:57:48.913Z
Modified
2026-07-08T08:13:43.867450741Z
Severity
  • 8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
@apostrophecms/seo Vulnerable to Stored XSS via Unsanitized Google Analytics / GTM ID Injected into Script Tag
Details

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the @apostrophecms/seo package injects the Google Analytics Tracking ID (seoGoogleTrackingId) and Google Tag Manager ID (seoGoogleTagManager) directly into <script> tag bodies using JavaScript template literals without any sanitization or validation. Any user with editor-level access (the default role for content managers) can set these fields to a malicious value, resulting in stored XSS that executes on every page for every visitor of the site. As of time of publication, no known patched versions are available.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53608.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/apostrophecms/apostrophe

Affected ranges

Type
GIT
Repo
https://github.com/apostrophecms/apostrophe
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.4.2"
        }
    ]
}

Affected versions

0.*
0.1.1
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.3.0
0.3.1
0.3.10
0.3.11
0.3.12
0.3.15
0.3.16
0.3.18
0.3.19
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.4.1
0.4.10
0.4.100
0.4.101
0.4.102
0.4.104
0.4.11
0.4.110
0.4.111
0.4.112
0.4.113
0.4.114
0.4.115
0.4.116
0.4.117
0.4.118
0.4.119
0.4.12
0.4.120
0.4.121
0.4.122
0.4.123
0.4.124
0.4.125
0.4.13
0.4.14
0.4.15
0.4.16
0.4.18
0.4.184
0.4.19
0.4.2
0.4.20
0.4.21
0.4.22
0.4.23
0.4.24
0.4.25
0.4.26
0.4.27
0.4.28
0.4.29
0.4.3
0.4.30
0.4.31
0.4.32
0.4.33
0.4.34
0.4.35
0.4.37
0.4.4
0.4.40
0.4.41
0.4.42
0.4.43
0.4.44
0.4.45
0.4.46
0.4.47
0.4.5
0.4.51
0.4.52
0.4.53
0.4.54
0.4.55
0.4.57
0.4.58
0.4.59
0.4.6
0.4.60
0.4.61
0.4.62
0.4.63
0.4.64
0.4.65
0.4.66
0.4.67
0.4.68
0.4.69
0.4.7
0.4.70
0.4.71
0.4.72
0.4.73
0.4.74
0.4.75
0.4.8
0.4.82
0.4.83
0.4.84
0.4.85
0.4.86
0.4.87
0.4.88
0.4.89
0.4.90
0.4.91
0.4.92
0.4.93
0.4.94
0.4.95
0.4.96
0.4.97
0.4.98
0.4.99
0.5.0
0.5.1
0.5.10
0.5.100
0.5.102
0.5.103
0.5.104
0.5.106
0.5.107
0.5.108
0.5.109
0.5.111
0.5.113
0.5.115
0.5.116
0.5.117
0.5.12
0.5.120
0.5.121
0.5.124
0.5.125
0.5.126
0.5.127
0.5.128
0.5.13
0.5.130
0.5.131
0.5.133
0.5.134
0.5.135
0.5.136
0.5.138
0.5.14
0.5.141
0.5.142
0.5.143
0.5.144
0.5.145
0.5.146
0.5.148
0.5.149
0.5.150
0.5.151
0.5.155
0.5.156
0.5.157
0.5.158
0.5.159
0.5.16
0.5.165
0.5.167
0.5.168
0.5.169
0.5.17
0.5.178
0.5.179
0.5.180
0.5.181
0.5.183
0.5.187
0.5.188
0.5.189
0.5.19
0.5.190
0.5.191
0.5.192
0.5.193
0.5.194
0.5.197
0.5.198
0.5.199
0.5.2
0.5.20
0.5.201
0.5.202
0.5.203
0.5.204
0.5.205
0.5.206
0.5.207
0.5.208
0.5.21
0.5.213
0.5.215
0.5.216
0.5.217
0.5.218
0.5.219
0.5.22
0.5.221
0.5.222
0.5.223
0.5.224
0.5.226
0.5.227
0.5.228
0.5.229
0.5.23
0.5.230
0.5.24
0.5.240
0.5.241
0.5.242
0.5.244
0.5.245
0.5.246
0.5.247
0.5.248
0.5.249
0.5.25
0.5.250
0.5.251
0.5.252
0.5.253
0.5.254
0.5.26
0.5.269
0.5.27
0.5.270
0.5.271
0.5.272
0.5.273
0.5.275
0.5.276
0.5.278
0.5.279
0.5.28
0.5.280
0.5.281
0.5.282
0.5.283
0.5.284
0.5.285
0.5.286
0.5.287
0.5.288
0.5.29
0.5.290
0.5.291
0.5.292
0.5.293
0.5.294
0.5.296
0.5.297
0.5.298
0.5.3
0.5.30
0.5.300
0.5.301
0.5.302
0.5.303
0.5.305
0.5.307
0.5.308
0.5.309
0.5.31
0.5.310
0.5.311
0.5.312
0.5.32
0.5.327
0.5.328
0.5.33
0.5.330
0.5.331
0.5.332
0.5.333
0.5.336
0.5.337
0.5.338
0.5.339
0.5.34
0.5.340
0.5.343
0.5.344
0.5.345
0.5.346
0.5.347
0.5.348
0.5.349
0.5.35
0.5.350
0.5.351
0.5.352
0.5.353
0.5.354
0.5.355
0.5.356
0.5.357
0.5.358
0.5.359
0.5.36
0.5.360
0.5.361
0.5.362
0.5.363
0.5.364
0.5.365
0.5.366
0.5.367
0.5.368
0.5.369
0.5.37
0.5.370
0.5.371
0.5.372
0.5.373
0.5.374
0.5.375
0.5.376
0.5.377
0.5.378
0.5.379
0.5.38
0.5.380
0.5.381
0.5.382
0.5.383
0.5.384
0.5.39
0.5.4
0.5.40
0.5.43
0.5.44
0.5.45
0.5.47
0.5.48
0.5.5
0.5.50
0.5.51
0.5.52
0.5.55
0.5.56
0.5.57
0.5.58
0.5.59
0.5.6
0.5.60
0.5.61
0.5.63
0.5.64
0.5.65
0.5.67
0.5.68
0.5.69
0.5.7
0.5.70
0.5.71
0.5.75
0.5.76
0.5.77
0.5.78
0.5.79
0.5.8
0.5.82
0.5.84
0.5.85
0.5.86
0.5.88
0.5.89
0.5.9
0.5.90
0.5.91
0.5.92
0.5.93
0.5.94
0.5.95
0.5.96
0.5.97
0.5.98
0.5.99
2.*
2.0.1
2.0.2
2.0.3
2.0.4
2.1.1
2.1.2
2.1.3
2.10.0
2.10.1
2.10.2
2.10.3
2.11.0
2.12.0
2.13.0
2.13.1
2.13.2
2.14.0
2.14.1
2.14.2
2.15.0
2.15.1
2.15.2
2.16.0
2.16.1
2.17.0
2.17.1
2.17.2
2.18.0
2.18.1
2.18.2
2.19.0
2.19.1
2.20.1
2.20.2
2.20.3
2.22.0
2.23.0
2.23.1
2.23.2
2.24.0
2.25.0
2.25.1
2.26.0
2.26.1
2.27.0
2.27.1
2.28.0
2.29.0
2.29.1
2.29.2
2.30.0
2.31.0
2.31.1
2.32.0
2.33.0
2.33.1
2.34.0
2.34.1
2.34.2
2.34.3
2.35.0
2.35.1
2.36.0
2.36.1
2.36.2
2.36.3
2.38.0
2.39.0
2.39.1
2.39.2
2.40.0
2.41.0
2.42.0
2.42.1
2.43.0
2.44.0
2.45.0
2.46.0
2.46.1
2.47.0
2.48.0
2.49.0
2.50.0
2.51.0
2.51.1
2.52.0
2.53.0
2.54.0
2.54.1
2.54.2
2.54.3
2.55.0
2.56.0
2.57.0
2.58.0
2.59.0
2.59.1
2.6.1
2.6.2
2.60.0
2.60.1
2.60.2
2.60.3
2.60.4
2.62.0
2.63.0
2.64.0
2.64.1
2.65.0
2.66.0
2.67.0
2.7.0
2.8.0
2.9.0
2.9.1
2.9.2
3.*
3.0.0
3.0.0-alpha.1
3.0.0-alpha.2
3.0.0-alpha.3
3.0.0-alpha.4
3.0.0-alpha.4.2
3.0.0-alpha.5
3.0.0-alpha.6.1
3.0.0-alpha.7
3.0.0-beta.1
3.0.0-beta.1.1
3.0.0-beta.2
3.0.0-beta.3
3.0.1
3.1.0
3.1.2
3.11.0
3.12.0
3.13.0
3.14.0
3.14.1
3.14.2
3.15.0
3.16.0
3.16.1
3.17.0
3.18.0
3.19.0
3.2.0
3.21.0
3.22.0
3.23.0
3.24.0
3.25.0
3.26.0
3.26.1
3.27.0
3.28.0
3.28.1
3.29.0
3.3.0
3.30.0
3.31.0
3.32.0
3.33.0
3.34.0
3.35.0
3.36.0
3.37.0
3.38.0
3.38.1
3.39.0
3.39.2
3.4.0
3.4.1
3.40.0
3.40.1
3.41.1
3.42.0
3.43.0
3.44.0
3.45.0
3.46.0
3.47.0
3.48.0
3.49.0
3.5.0
3.50.0
3.51.0
3.51.1
3.52.0
3.53.0
3.54.0
3.55.0
3.56.0
3.57.0
3.58.0
3.58.1
3.59.0
3.6.0
3.60.0
3.60.1
3.61.0
3.62.0
3.63.1
3.7.0
3.8.0
3.8.1
3.9.0
4.*
4.0.0
4.1.0
4.1.1
4.10.0
4.11.0
4.11.2
4.12.0
4.13.0
4.14.0
4.15.0
4.16.0
4.17.0
4.17.1
4.18.0
4.19.0
4.2.0
4.20.0
4.21.0
4.22.0
4.23.0
4.24.0
4.3.0
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
4.5.2
4.5.3
4.6.0
4.7.0
4.8.0
4.9.0
@apostrophecms/ai-helper@1.*
@apostrophecms/ai-helper@1.0.0-beta.11
@apostrophecms/apostrophe-astro@1.*
@apostrophecms/apostrophe-astro@1.10.0
@apostrophecms/apostrophe-astro@1.11.0
@apostrophecms/apostrophe-astro@1.8.0
@apostrophecms/apostrophe-astro@1.9.0
@apostrophecms/cli@3.*
@apostrophecms/cli@3.6.0
@apostrophecms/form@1.*
@apostrophecms/form@1.5.3
@apostrophecms/import-export@3.*
@apostrophecms/import-export@3.5.1
@apostrophecms/import-export@3.5.2
@apostrophecms/import-export@3.5.3
@apostrophecms/import-export@3.6.0
@apostrophecms/login-totp@1.*
@apostrophecms/login-totp@1.3.3
@apostrophecms/openapi-generator@1.*
@apostrophecms/openapi-generator@1.0.0
@apostrophecms/seo@1.*
@apostrophecms/seo@1.4.0
@apostrophecms/seo@1.4.1
@apostrophecms/seo@1.4.2
@apostrophecms/sitemap@1.*
@apostrophecms/sitemap@1.3.0
@apostrophecms/sitemap@1.4.0
apostrophe@4.*
apostrophe@4.25.0
apostrophe@4.26.0
apostrophe@4.28.0
apostrophe@4.29.0
apostrophecms-openapi@1.*
apostrophecms-openapi@1.1.0
postcss-viewport-to-container-toggle@2.*
postcss-viewport-to-container-toggle@2.2.0
postcss-viewport-to-container-toggle@2.3.0
sanitize-html@2.*
sanitize-html@2.17.1
sanitize-html@2.17.2
sanitize-html@2.17.3
uploadfs@1.*
uploadfs@1.26.1
v0.*
v0.4.68

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53608.json"