CVE-2026-33889Cross-site Scripting in Apostrophe

CWE-79Cross-site Scripting4 documents4 sources
Severity
5.4MEDIUMNVD
EPSS
0.0%
top 91.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apostrophecms Apostrophe
Timeline
PublishedApr 15
Latest updateApr 16

Description

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without stripping HTML metacharacters. These unsanitized values are then concatenated directly into tags both in per-widget style elements rendered for all

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5apostrophecms/apostrophe< 4.29.0

🔴Vulnerability Details

3
GHSA
ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context2026-04-16
VulDB
apostrophe up to 4.28.x launder.string Color cross site scripting (GHSA-97v6-998m-fp4g)2026-04-16
CVEList
ApostropheCMS: Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag Context2026-04-15
CVE-2026-33889 — Cross-site Scripting in Apostrophe | cvebase