CVE-2026-53608
🟡 Monitoruj
Wstrzyknięcie złośliwego kodu w ApostropheCMS umożliwia atak XSS dla wszystkich odwiedzających stronę.
CVSS
8.7
EPSS
0.2%
Exploit
none
Vendor
Opis źródłowy (NVD)
ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the `@apostrophecms/seo` package injects the Google Analytics Tracking ID (`seoGoogleTrackingId`) and Google Tag Manager ID (`seoGoogleTagManager`) directly into `<script>` tag bodies using JavaScript template literals without any sanitization or validation. Any user with editor-level access (the default role for content managers) can set these fields to a malicious value, resulting in stored XSS that executes on every page for every visitor of the site. As of time of publication, no known patched versions are available.
xss
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 8.7 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.2% |
| Opublikowano (NVD) | 2026-06-12 22:16:52 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-15 20:54:05 UTC |
Referencje
- https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-wf43-fpp3-cf65 (security-advisories@github.com)