CVE-2026-33889: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in apostrophecms apostrophe
ApostropheCMS versions 4. 28. 0 and earlier contain a stored cross-site scripting (XSS) vulnerability in the @apostrophecms/color-field module. This vulnerability allows an editor to inject malicious JavaScript by bypassing color value validation and inserting unsanitized input into style tags. The injected script can execute in the browsers of all visitors to pages containing the affected widget, potentially leading to session hijacking, cookie theft, and privilege escalation if an admin views draft content. The issue is fixed in version 4. 29. 0.
AI Analysis
Technical Summary
CVE-2026-33889 is a stored cross-site scripting vulnerability in ApostropheCMS (Node.js CMS) versions prior to 4.29.0. The flaw exists in the @apostrophecms/color-field module where color values prefixed with '--' bypass TinyColor validation. The launder.string() function only coerces types without removing HTML metacharacters, allowing crafted input to close <style> tags and inject arbitrary JavaScript. This malicious script executes in the context of any visitor viewing the affected widget, enabling session hijacking, cookie theft, and administrative privilege escalation if an admin views the injected draft content. The vulnerability is resolved in version 4.29.0.
Potential Impact
Exploitation allows an authenticated editor to inject malicious JavaScript that executes in the browsers of all visitors to affected pages. This can lead to session hijacking, cookie theft, and privilege escalation to administrative control if an administrator views the compromised draft content. The CVSS score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges, user interaction, and partial impact on confidentiality and integrity.
Mitigation Recommendations
Upgrade ApostropheCMS to version 4.29.0 or later, where this vulnerability has been fixed. Since this is a self-hosted product, administrators must apply the update to remediate the issue. Patch status is confirmed by the vendor's versioning. No alternative mitigations are indicated.
CVE-2026-33889: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in apostrophecms apostrophe
Description
ApostropheCMS versions 4. 28. 0 and earlier contain a stored cross-site scripting (XSS) vulnerability in the @apostrophecms/color-field module. This vulnerability allows an editor to inject malicious JavaScript by bypassing color value validation and inserting unsanitized input into style tags. The injected script can execute in the browsers of all visitors to pages containing the affected widget, potentially leading to session hijacking, cookie theft, and privilege escalation if an admin views draft content. The issue is fixed in version 4. 29. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33889 is a stored cross-site scripting vulnerability in ApostropheCMS (Node.js CMS) versions prior to 4.29.0. The flaw exists in the @apostrophecms/color-field module where color values prefixed with '--' bypass TinyColor validation. The launder.string() function only coerces types without removing HTML metacharacters, allowing crafted input to close <style> tags and inject arbitrary JavaScript. This malicious script executes in the context of any visitor viewing the affected widget, enabling session hijacking, cookie theft, and administrative privilege escalation if an admin views the injected draft content. The vulnerability is resolved in version 4.29.0.
Potential Impact
Exploitation allows an authenticated editor to inject malicious JavaScript that executes in the browsers of all visitors to affected pages. This can lead to session hijacking, cookie theft, and privilege escalation to administrative control if an administrator views the compromised draft content. The CVSS score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges, user interaction, and partial impact on confidentiality and integrity.
Mitigation Recommendations
Upgrade ApostropheCMS to version 4.29.0 or later, where this vulnerability has been fixed. Since this is a self-hosted product, administrators must apply the update to remediate the issue. Patch status is confirmed by the vendor's versioning. No alternative mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T15:10:05.682Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dfeeb382d89c981f942279
Added to database: 4/15/2026, 8:01:55 PM
Last enriched: 4/15/2026, 8:17:02 PM
Last updated: 4/15/2026, 9:03:13 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.