Potential for cross-site scripting in
The problem has been patched in
posthog-js version 1.57.2.
- This isn't an issue for sites that have a Content Security Policy in place.
- Using the HTML tracking snippet on PostHog Cloud always guarantees the latest version of the library – in that case no action is required to upgrade to the patched version.
We will publish details of the vulnerability in 30 days as per our security policy.