Wednesday, Feb 15th, 2023
Advisory ID: 
Security risk: 
Cross Site Scripting
Versions affected: 
  • The borg theme versions prior to 1.x-1.1.19

The borg theme does not sufficiently sanitize path arguments that are passed in via URL.

A CVE has been requested, and this page will be updated as soon as an official number has been issued.


Upgrade your site to the most recent version of the borg theme. Download available on the Borg 1.1.19 release page

Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  1. Log in to
  2. Edit your profile
  3. Switch to the "Subscriptions" tab
  4. Check the box labeled "Security updates"
  5. Save the form