CVE-2026-33889
Stored XSS in ApostropheCMS Color-Field Module Enables Session Hijacking
Publication date: 2026-04-15
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apostrophecms | apostrophecms | to 4.29.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33889 is a stored Cross-Site Scripting (XSS) vulnerability in the @apostrophecms/color-field module of ApostropheCMS versions up to 4.28.0.
The vulnerability occurs because color values starting with "--" (CSS custom properties) bypass the TinyColor validation, and the launder.string() function only coerces types without removing or escaping HTML metacharacters.
These unsanitized values are then directly inserted into <style> tags in both per-widget styles visible to all visitors and global stylesheets visible to editors, with the content marked as safe HTML.
An attacker with editor privileges can inject malicious values that close the style tag and execute arbitrary JavaScript in the browsers of all visitors to pages containing the affected widget.
This allows execution of arbitrary scripts, including stealing cookies, hijacking sessions, and escalating privileges to administrative control if an admin views draft content.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts:
- Execution of arbitrary JavaScript code in the browsers of all visitors to affected pages.
- Theft of cookies and session hijacking, allowing attackers to impersonate users.
- Privilege escalation to administrative control if an administrator views malicious draft content.
- Persistence of malicious payloads in the database, causing repeated exploitation on every page load.
- Potential delivery of phishing overlays, keyloggers, or malware through injected scripts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if ApostropheCMS versions 4.28.0 or prior are in use and if any color fields contain malicious CSS custom property values that bypass validation.
Since the vulnerability is a stored cross-site scripting (XSS) via specially crafted color values, detection can focus on scanning the database or content for suspicious color values starting with "--" that include HTML or JavaScript payloads such as closing style tags and script tags.
There are no explicit commands provided in the resources, but suggested approaches include:
- Query the database for color field entries containing suspicious patterns like `--x:`, `</style>`, `<script>`, or other HTML metacharacters.
- Use grep or similar tools on exported content or backups to search for payload patterns, e.g.: `grep -r -- '--x:' /path/to/apostrophe/content`
- Monitor HTTP traffic for injected scripts or unusual style tag content in pages served by ApostropheCMS.
Because the vulnerability requires an editor role to inject the payload, auditing editor activity logs for suspicious updates to color fields may also help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade ApostropheCMS to version 4.29.0 or later, where the vulnerability is fixed.
- Apply input validation to restrict CSS custom property names to only alphanumeric characters, hyphens, and underscores, rejecting any values that do not conform.
- Implement output encoding by escaping sequences like `</` in CSS output to prevent breaking out of `<style>` tags.
- Audit and sanitize existing content to remove any malicious color values that could trigger the XSS.
- Restrict editor privileges to trusted users until the patch is applied.
These steps provide defense in depth by preventing malicious input and ensuring safe rendering of styles, thereby mitigating the risk of stored XSS attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in ApostropheCMS allows stored cross-site scripting (XSS) attacks that can lead to cookie theft, session hijacking, and privilege escalation. Such unauthorized access and data exposure could potentially violate data protection requirements under regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information against unauthorized access and breaches.
Specifically, the ability for an attacker to execute arbitrary JavaScript in the browsers of site visitors and administrators could result in the exposure of personal data or administrative control, undermining confidentiality and integrity requirements common to these standards.
Therefore, organizations using vulnerable versions of ApostropheCMS may face compliance risks if this vulnerability is exploited, as it could lead to unauthorized disclosure of personal data and compromise of administrative privileges.