How is CVE-2026-53608 exploited?

Network reachability (required): The attacker must reach the ApostropheCMS admin interface over the network to set the malicious tracking ID field. Authentication (required): A low-privilege editor-level account is sufficient; no administrative credentials are needed. Victim interaction (required): Site visitors must load a page of the affected site, causing their browser to execute the injected script. Attack complexity (info): The exploit is reliable and condition-free once the malicious value is saved, requiring no race conditions or special environmental setup.

What is the impact of CVE-2026-53608?

Reads stored session cookies and authentication tokens belonging to any visitor who loads an affected page. Exfiltrates form input, credentials, or other sensitive data entered by visitors before it is submitted. Executes arbitrary actions in the context of each visitor's authenticated session, including account changes or content submissions.

Back to search

HIGHCVE-2026-53608Published 2026-06-12Modified 2026-06-15CNA GitHub_M

CVE-2026-53608: @apostrophecms/seo Vulnerable to Stored XSS via Unsanitized Google Analytics / GTM ID Injected into Script Tag

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the `@apostrophecms/seo` package injects the Google Analytics Tracking ID (`seoGoogleTrackingId`) and Google Tag Manager ID (`seoGoogleTagManager`) directly into `<script>` tag bodies using JavaScript template literals without any sanitization or validation. Any user with editor-level access (the default role for content managers) can set these fields to a malicious value, resulting in stored XSS that executes on every page for every visitor of the site. As of time of publication, no known patched versions are available.

CVSS v3.1: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) affects the @apostrophecms/seo package for ApostropheCMS, versions up to and including 1.4.2. An authenticated user with editor-level privileges can set the Google Analytics Tracking ID or Google Tag Manager ID fields to arbitrary JavaScript, which is injected unsanitized into script tag bodies and executes in every visitor's browser on every page load. Successful exploitation allows an attacker to read session tokens, exfiltrate user data, or perform actions on behalf of any site visitor. No patched version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-53608 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the @apostrophecms/seo package. Any image found to include an affected version of the package is flagged immediately in the pipeline.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.7 (HIGH) and weighting it further against each environment's compliance policy to determine urgency. Triage routing is available to direct the alert to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, customers can use HarborGuard's policy controls to flag or block deployment of images containing affected versions and apply network-level compensating controls while awaiting an upstream patch.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the ApostropheCMS admin interface over the network to set the malicious tracking ID field.
AuthenticationRequired
A low-privilege editor-level account is sufficient; no administrative credentials are needed.
Victim interactionRequired
Site visitors must load a page of the affected site, causing their browser to execute the injected script.
Attack complexityDetail
The exploit is reliable and condition-free once the malicious value is saved, requiring no race conditions or special environmental setup.

Blast Radius

Reads stored session cookies and authentication tokens belonging to any visitor who loads an affected page.
Exfiltrates form input, credentials, or other sensitive data entered by visitors before it is submitted.
Executes arbitrary actions in the context of each visitor's authenticated session, including account changes or content submissions.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all customer images containing the @apostrophecms/seo package at versions up to and including 1.4.2. Because no upstream patch exists at time of publication, HarborGuard monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues once upstream ships. While awaiting a patch, compensating controls are available: consider using HarborGuard policy rules to block promotion of images containing affected versions to production, applying network-policy isolation to restrict which accounts can reach the CMS admin interface, and auditing existing Google Analytics and Tag Manager field values in running instances for unexpected content.

See how HarborGuard automates this

Affected packages

apostrophecms / @apostrophecms/seo
<= 1.4.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

References

https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-wf43-fpp3-cf65

Metrics

Get notified