CVE-2026-33889

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.29.0

Description A stored cross-site scripting issue exists in the @apostrophecms/color-field module. The convert() function uses TinyColor for validation but exempts any value starting with --, which is intended for CSS custom properties. Because the launder.string() call only performs type coercion and does not strip HTML metacharacters, an editor can inject malicious values. These unsanitized values are concatenated directly into <style> tags within per-widget style elements for all visitors and in the global stylesheet for editors. An attacker with editor privileges can inject a value that closes the style tag and executes arbitrary JavaScript in the browser of any visitor or administrator viewing the content. This can lead to mass session hijacking, cookie theft, and privilege escalation to administrative control.

Recommendations Update to version 4.29.0. As a temporary workaround, restrict the use of the @apostrophecms/color-field module or limit editor permissions for styling widgets until the update is applied.