CVE-2026-33889: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in apostrophecms apostrophe
ApostropheCMS versions 4. 28. 0 and earlier contain a stored cross-site scripting (XSS) vulnerability in the @apostrophecms/color-field module. This flaw allows an editor to inject malicious JavaScript by bypassing color value validation and inserting unsanitized input into style tags. The vulnerability can lead to session hijacking, cookie theft, and privilege escalation if an administrator views the affected content. The issue is fixed in version 4. 29. 0.
AI Analysis
Technical Summary
CVE-2026-33889 is a stored XSS vulnerability in ApostropheCMS (Node.js CMS) versions prior to 4.29.0. The vulnerability arises because the @apostrophecms/color-field module improperly sanitizes color values prefixed with '--', which bypass TinyColor validation. The launder.string() function only coerces types without removing HTML metacharacters. These unsafe values are concatenated directly into <style> tags in both per-widget and global stylesheets, marked as safe HTML. An editor can exploit this to close the style tag and inject arbitrary JavaScript, affecting all visitors and potentially allowing administrative privilege escalation when admins view draft content.
Potential Impact
Successful exploitation allows an attacker with editor privileges to execute arbitrary JavaScript in the browsers of all visitors to pages containing the affected widget. This can result in mass session hijacking, cookie theft, and privilege escalation to administrative control if an admin views the malicious draft content. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges, user interaction, and partial confidentiality and integrity impact.
Mitigation Recommendations
This vulnerability has been fixed in ApostropheCMS version 4.29.0. Users should upgrade to version 4.29.0 or later to remediate this issue. Since no official patch link or vendor advisory is provided, verify the fix by consulting the ApostropheCMS release notes or official channels. Until upgraded, restrict editor privileges and avoid loading untrusted draft content in administrative sessions.
CVE-2026-33889: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in apostrophecms apostrophe
Description
ApostropheCMS versions 4. 28. 0 and earlier contain a stored cross-site scripting (XSS) vulnerability in the @apostrophecms/color-field module. This flaw allows an editor to inject malicious JavaScript by bypassing color value validation and inserting unsanitized input into style tags. The vulnerability can lead to session hijacking, cookie theft, and privilege escalation if an administrator views the affected content. The issue is fixed in version 4. 29. 0.
CVSS v3.1
Score 5.4medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33889 is a stored XSS vulnerability in ApostropheCMS (Node.js CMS) versions prior to 4.29.0. The vulnerability arises because the @apostrophecms/color-field module improperly sanitizes color values prefixed with '--', which bypass TinyColor validation. The launder.string() function only coerces types without removing HTML metacharacters. These unsafe values are concatenated directly into <style> tags in both per-widget and global stylesheets, marked as safe HTML. An editor can exploit this to close the style tag and inject arbitrary JavaScript, affecting all visitors and potentially allowing administrative privilege escalation when admins view draft content.
Potential Impact
Successful exploitation allows an attacker with editor privileges to execute arbitrary JavaScript in the browsers of all visitors to pages containing the affected widget. This can result in mass session hijacking, cookie theft, and privilege escalation to administrative control if an admin views the malicious draft content. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges, user interaction, and partial confidentiality and integrity impact.
Mitigation Recommendations
This vulnerability has been fixed in ApostropheCMS version 4.29.0. Users should upgrade to version 4.29.0 or later to remediate this issue. Since no official patch link or vendor advisory is provided, verify the fix by consulting the ApostropheCMS release notes or official channels. Until upgraded, restrict editor privileges and avoid loading untrusted draft content in administrative sessions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T15:10:05.682Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dfeeb382d89c981f942279
Added to database: 4/15/2026, 8:01:55 PM
Last enriched: 4/22/2026, 11:15:00 PM
Last updated: 5/31/2026, 4:04:59 AM
Views: 90
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.