Description
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without stripping HTML metacharacters. These unsanitized values are then concatenated directly into <style> tags both in per-widget style elements rendered for all visitors and in the global stylesheet rendered for editors, with the output marked as safe HTML. An editor can inject a value which closes the style tag and executes arbitrary JavaScript in the browser of every visitor to any page containing the affected widget. This enables mass session hijacking, cookie theft, and privilege escalation to administrative control if an admin views draft content. This issue has been fixed in version 4.29.0.
Published: 2026-04-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

ApostropheCMS allows editors to enter color values that are incorporated directly into <style> tags without proper escaping. The @apostrophecms/color‑field module incorrectly accepts values prefixed with '--', bypassing TinyColor validation, and the subsequent laundering process only coerces types, leaving HTML metacharacters intact. When these unsanitized values are concatenated into style elements marked as safe HTML, an attacker can close the style tag and inject JavaScript. This flaw is a typical stored XSS (CWE‑79) that can lead to session hijacking, cookie theft, and, if an administrator views the compromised widget, privilege escalation to full administrative access.

Affected Systems

The vulnerability affects ApostropheCMS version 4.28.0 and all earlier releases. The affected product is the open-source Node.js content management system developed by apostrophecms.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score is not provided, implying no data on current exploitation likelihood. The flaw is listed outside the CISA KEV catalog. Exploitation requires access to the CMS editor interface, meaning that a user with content‑editing rights can inject malicious values. Once injected, every visitor to pages containing the affected widget will execute the embedded script, potentially compromising all users’ sessions and escalating to administrative privileges if the admin views the draft content.

Generated by OpenCVE AI on April 15, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ApostropheCMS to version 4.29.0 or later, where the issue is fixed.
  • If an upgrade is not immediately possible, block or sanitize custom CSS property input to strip or encode HTML characters before storing the value.
  • Restrict editor access by assigning stricter role permissions or temporarily disabling widget editing for untrusted users.
  • Implement server‑side validation of color fields to reject values beginning with '--' and enforce proper escaping before rendering into style tags.
  • Monitor logs for signs of anomalous JavaScript execution or session hijacking events.

Generated by OpenCVE AI on April 15, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-97v6-998m-fp4g ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context
History

Thu, 16 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Apostrophecms
Apostrophecms apostrophecms
Vendors & Products Apostrophecms
Apostrophecms apostrophecms

Wed, 15 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without stripping HTML metacharacters. These unsanitized values are then concatenated directly into <style> tags both in per-widget style elements rendered for all visitors and in the global stylesheet rendered for editors, with the output marked as safe HTML. An editor can inject a value which closes the style tag and executes arbitrary JavaScript in the browser of every visitor to any page containing the affected widget. This enables mass session hijacking, cookie theft, and privilege escalation to administrative control if an admin views draft content. This issue has been fixed in version 4.29.0.
Title ApostropheCMS: Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag Context
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Apostrophecms Apostrophecms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T12:05:17.734Z

Reserved: 2026-03-24T15:10:05.682Z

Link: CVE-2026-33889

cve-icon Vulnrichment

Updated: 2026-04-16T11:26:56.448Z

cve-icon NVD

Status : Received

Published: 2026-04-15T20:16:35.850

Modified: 2026-04-16T13:16:48.867

Link: CVE-2026-33889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:00:05Z

Weaknesses