CVE-2026-33889
Affecting ApostropheCMS up to version 4.28.0, a stored XSS flaw exists in the @apostrophecms/color-field module. Unsanitized color values prefixed with -- bypass TinyColor validation for CSS custom properties, and launder.string() performs only type coercion, not HTML metacharacter stripping. Thi...