CVE-2026-53608
Description
Stored XSS in ApostropheCMS SEO package allows editors to inject malicious script via unsanitized Google Analytics or Tag Manager IDs, affecting all site visitors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in ApostropheCMS SEO package allows editors to inject malicious script via unsanitized Google Analytics or Tag Manager IDs, affecting all site visitors.
Vulnerability
The @apostrophecms/seo package up to version 1.4.2 injects the seoGoogleTrackingId and seoGoogleTagManager fields directly into ` tag bodies using JavaScript template literals without sanitization or validation [1]. The vulnerable code resides in node_modules/@apostrophecms/seo/lib/nodes.js where the raw values are inserted verbatim [1]. These fields are defined as plain type: 'string' with no pattern or length validation in seo-fields-global/index.js [1]. The issue is triggered when seoGoogleAnalytics: true` is enabled in module options [1].
Exploitation
An attacker with editor-level access (the default role for content managers) can set either the seoGoogleTrackingId or seoGoogleTagManager field to a malicious JavaScript payload via the global singleton editing interface [1]. No administrator privileges are required because the permission model grants editors the ability to edit and publish the global singleton [1]. The payload is then stored and executed on every page for every visitor when the script tag is rendered verbatim by renderNodes() [1].
Impact
Successful exploitation results in stored cross-site scripting (XSS) that executes in the context of every visitor's browser on every page of the site [1]. An attacker can perform arbitrary actions such as stealing session cookies, redirecting users, defacing pages, or delivering further malware. The impact is high due to the persistent nature and broad reach across all site visitors.
Mitigation
As of the publication date (2026-06-12), no patched version of @apostrophecms/seo is available [1]. Users should disable the seoGoogleAnalytics module option if not required, or restrict editor-level access to the global singleton as a temporary workaround. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog at this time.
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.4.2
- Range: <=1.4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The package interpolates user-controlled tracking IDs directly into `<script>` tag bodies via raw JavaScript template literals with no sanitization or escaping."
Attack vector
An attacker with editor-level access (the default content manager role) can set the `seoGoogleTrackingId` or `seoGoogleTagManager` field to a malicious value via the global document API endpoint. Because the value is injected directly into a `<script>` tag body without sanitization [ref_id=1], the payload executes as stored XSS on every page for every visitor. The editor role is granted the ability to edit and publish the global singleton, so no administrator privileges are required [ref_id=1]. The PoC demonstrates injecting a payload that breaks out of the `gtag()` call and executes `alert(document.cookie)` on page load.
Affected code
The vulnerability is in `@apostrophecms/seo/lib/nodes.js` where `seoGoogleTrackingId` and `seoGoogleTagManager` are inserted directly into `<script>` tag bodies via JavaScript template literals as `raw` content. The `renderNodes()` function in `@apostrophecms/template/index.js` returns the raw string verbatim with no escaping. The fields are defined as plain `type: 'string'` with no validation in `seo-fields-global/index.js`.
What the fix does
The advisory recommends validating tracking ID fields against expected formats (e.g., `G-`, `UA-`, `GTM-` prefixes) before storage and escaping values via `JSON.stringify()` or using a safe `json` node type instead of the `raw` node type when inserting into script bodies [ref_id=1]. Without these changes, any editor-supplied string is rendered verbatim in a `<script>` context, allowing arbitrary JavaScript execution. As of publication, no patched version of the package has been released.
Preconditions
- configThe @apostrophecms/seo package must be installed and seoGoogleAnalytics: true must be enabled in module options.
- authThe attacker must possess an editor-level account (the default content manager role).
- networkThe attacker must be able to reach the API endpoints for the global singleton document.
- inputThe attacker supplies a crafted string in the seoGoogleTrackingId or seoGoogleTagManager field that breaks out of the JavaScript string literal.
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.