Wednesday, Feb 15th, 2023
Advisory ID: 
Security risk: 
Cross Site Scripting
Versions affected: 
  • The borg theme versions prior to 1.x-1.1.19

The borg theme does not sufficiently sanitize path arguments that are passed in via URL.

A CVE has been requested, and this page will be updated as soon as an official number has been issued.


Upgrade your site to the most recent version of the borg theme. Download available on the Borg 1.1.19 release page

Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive security announcements for core and contrib projects"