Security Alert: CSS Injection Vulnerability in Capture-Eye Modal Component via Unvalidated Color Property

A critical security flaw in the Capture-Eye modal component allows for arbitrary CSS injection through the `color` attribute. The vulnerability stems from the `color` value being passed directly to `this.style.setProperty('--primary-color', this._color)` without any input validation. This injection occurs at line 637 in `src/modal/modal.ts`, *before* a hex pattern check at line 652, which only protects a subsequent hover color calculation. The primary color variable is already compromised, creating a direct path for attackers to inject malicious CSS custom properties.

The attack surface is broad, as the `color` attribute is an HTML attribute intended for integrators. It can be controlled via direct HTML manipulation (e.g., `<capture-eye color="red; --injected: value" ...>`), JavaScript (`element.setAttribute('color', 'malicious value')`), or through CMS widget settings in platforms like WordPress Elementor or Wix. The vulnerable code path clearly shows the validation logic is misplaced, guarding only the hover color calculation while leaving the primary color assignment completely exposed.

This vulnerability represents a significant risk for any website or application embedding the Capture-Eye component. An attacker could exploit this to perform UI redressing attacks, deface websites, exfiltrate data via crafted CSS, or potentially chain with other vulnerabilities. The flaw highlights a common but dangerous pattern of trusting user-controllable input for direct style manipulation without sanitization, putting all downstream integrators and their users at immediate risk.