CVE-2026-40186Cross-site Scripting in Sanitize-html

CWE-79Cross-site Scripting4 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
0.0%
top 91.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apostrophecms Sanitize-htmlApostrophecms Apostrophe
Timeline
PublishedApr 15
Latest updateApr 16

Description

ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). ApostropheCMS version 4.28.0 is affected through its dependency on the vulnerable sanitize-html version. The code at packages/sanitize-html/index.js:569-573 incorrectly assumes that htmlparser2 does not decode

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

npmapostrophecms/sanitize-html2.17.22.17.3
CVEListV5apostrophecms/sanitize-html>= 2.17.1, < 2.17.2
CVEListV5apostrophecms/apostrophe>= 4.28.0, < 4.29.0

🔴Vulnerability Details

3
VulDB
apostrophe up to 4.28.x cross site scripting (GHSA-9mrh-v2v3-xpfm)2026-04-16
GHSA
sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements2026-04-16
CVEList
ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements2026-04-15
CVE-2026-40186 — Cross-site Scripting in Sanitize-html | cvebase