CVE-2026-33889
Received Received - Intake
Stored XSS in ApostropheCMS Color-Field Module Enables Session Hijacking

Publication date: 2026-04-15

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without stripping HTML metacharacters. These unsanitized values are then concatenated directly into <style> tags both in per-widget style elements rendered for all visitors and in the global stylesheet rendered for editors, with the output marked as safe HTML. An editor can inject a value which closes the style tag and executes arbitrary JavaScript in the browser of every visitor to any page containing the affected widget. This enables mass session hijacking, cookie theft, and privilege escalation to administrative control if an admin views draft content. This issue has been fixed in version 4.29.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33889
EUVD
EUVD-2026-23104
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms apostrophecms to 4.29.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33889 is a stored Cross-Site Scripting (XSS) vulnerability in the @apostrophecms/color-field module of ApostropheCMS versions up to 4.28.0.

The vulnerability occurs because color values starting with "--" (CSS custom properties) bypass the TinyColor validation, and the launder.string() function only coerces types without removing or escaping HTML metacharacters.

These unsanitized values are then directly inserted into <style> tags in both per-widget styles visible to all visitors and global stylesheets visible to editors, with the content marked as safe HTML.

An attacker with editor privileges can inject malicious values that close the style tag and execute arbitrary JavaScript in the browsers of all visitors to pages containing the affected widget.

This allows execution of arbitrary scripts, including stealing cookies, hijacking sessions, and escalating privileges to administrative control if an admin views draft content.

Impact Analysis

This vulnerability can have several serious impacts:

  • Execution of arbitrary JavaScript code in the browsers of all visitors to affected pages.
  • Theft of cookies and session hijacking, allowing attackers to impersonate users.
  • Privilege escalation to administrative control if an administrator views malicious draft content.
  • Persistence of malicious payloads in the database, causing repeated exploitation on every page load.
  • Potential delivery of phishing overlays, keyloggers, or malware through injected scripts.
Detection Guidance

Detection of this vulnerability involves identifying if ApostropheCMS versions 4.28.0 or prior are in use and if any color fields contain malicious CSS custom property values that bypass validation.

Since the vulnerability is a stored cross-site scripting (XSS) via specially crafted color values, detection can focus on scanning the database or content for suspicious color values starting with "--" that include HTML or JavaScript payloads such as closing style tags and script tags.

There are no explicit commands provided in the resources, but suggested approaches include:

  • Query the database for color field entries containing suspicious patterns like `--x:`, `</style>`, `<script>`, or other HTML metacharacters.
  • Use grep or similar tools on exported content or backups to search for payload patterns, e.g.: `grep -r -- '--x:' /path/to/apostrophe/content`
  • Monitor HTTP traffic for injected scripts or unusual style tag content in pages served by ApostropheCMS.

Because the vulnerability requires an editor role to inject the payload, auditing editor activity logs for suspicious updates to color fields may also help detect exploitation.

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade ApostropheCMS to version 4.29.0 or later, where the vulnerability is fixed.
  • Apply input validation to restrict CSS custom property names to only alphanumeric characters, hyphens, and underscores, rejecting any values that do not conform.
  • Implement output encoding by escaping sequences like `</` in CSS output to prevent breaking out of `<style>` tags.
  • Audit and sanitize existing content to remove any malicious color values that could trigger the XSS.
  • Restrict editor privileges to trusted users until the patch is applied.

These steps provide defense in depth by preventing malicious input and ensuring safe rendering of styles, thereby mitigating the risk of stored XSS attacks.

Compliance Impact

The vulnerability in ApostropheCMS allows stored cross-site scripting (XSS) attacks that can lead to cookie theft, session hijacking, and privilege escalation. Such unauthorized access and data exposure could potentially violate data protection requirements under regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information against unauthorized access and breaches.

Specifically, the ability for an attacker to execute arbitrary JavaScript in the browsers of site visitors and administrators could result in the exposure of personal data or administrative control, undermining confidentiality and integrity requirements common to these standards.

Therefore, organizations using vulnerable versions of ApostropheCMS may face compliance risks if this vulnerability is exploited, as it could lead to unauthorized disclosure of personal data and compromise of administrative privileges.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart