ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context

Description

The @apostrophecms/color-field module bypasses color validation for values prefixed with -- (intended for CSS custom properties), but performs no HTML sanitization on these values.

Recommendation

Update the apostrophe package to the latest compatible version. Followings are version details:

• Affected version(s): < 4.29.0
• Patched version(s): 4.29.0

References

• GHSA-97v6-998m-fp4g
• CVE-2026-33889
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Apostrophe has stored XSS via javascript: URL in Image Widget Link - CVE-2026-45011
• Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS - CVE-2026-35569
• ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictio - CVE-2026-39857
• PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - CVE-2026-41305

You might also like:

How do hackers hack websites?

These 7 PHP mistakes leave your website open to the hackers

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:

npm

apostrophe