CVE-2026-40186
published 2026-04-15CVE-2026-40186: ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the…
PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.24%
14.3th percentile
ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). ApostropheCMS version 4.28.0 is affected through its dependency on the vulnerable sanitize-html version. The code at packages/sanitize-html/index.js:569-573 incorrectly assumes that htmlparser2 does not decode entities inside these elements and skips escaping, but htmlparser2 10.x does decode entities before passing text to the ontext callback. As a result, entity-encoded HTML is decoded by the parser and then written directly to the output as literal HTML characters, completely bypassing the allowedTags filter. An attacker can inject arbitrary tags including XSS payloads through any allowed option or textarea element using entity encoding. This affects non-default configurations where option or textarea are included in allowedTags, which is common in form builders and CMS platforms. This issue has been fixed in version 2.17.2 of sanitize-html and 4.29.0 of ApostropheCMS.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apostrophecms | apostrophe | — | — |
| apostrophecms | apostrophecms | — | — |
| apostrophecms | sanitize-html | <= 2.17.1 | — |
| apostrophecms | sanitize-html | — | — |
| apostrophecms | sanitize-html | >= 2.17.2 < 2.17.3 | 2.17.3 |
| container-native-virtualization | kubevirt-console-plugin-rhel9 | — | — |
| devspaces | dashboard-rhel9 | — | — |
| multicluster-engine | console-mce-rhel9 | — | — |
| openshift4 | ose-agent-installer-ui-rhel9 | — | — |
| openshift4 | ose-console | — | — |
| openshift4 | ose-console-rhel9 | — | — |
| quay | quay-rhel8 | — | — |
| quay | quay-rhel9 | — | — |
| rhacm2 | console-rhel9 | — | — |
| rhoai | odh-mlflow-rhel9 | — | — |
| satellite | iop-advisor-frontend-rhel9 | — | — |
| satellite | iop-host-inventory-frontend-rhel9 | — | — |
| satellite | iop-vulnerability-frontend-rhel9 | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
apostrophe up to 4.28.x cross site scripting (GHSA-9mrh-v2v3-xpfm)
vuldb·2026-04-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] apostrophe up to 4.28.x cross site scripting (GHSA-9mrh-v2v3-xpfm)
A vulnerability has been found in apostrophe up to 4.28.x and classified as problematic. This affects an unknown part. Performing a manipulation results in cross site scripting.
This vulnerability was named CVE-2026-40186. The attack may be initiated remotely. There is no available exploit.
The affected component should be upgraded.
GHSA
sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
ghsa·2026-04-16
CVE-2026-40186 [MEDIUM] CWE-79 sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
## Summary
Commit 49d0bb7 introduced a regression in sanitize-html that bypasses `allowedTags` enforcement for text inside `nonTextTagsArray` elements (`textarea` and `option`). Entity-encoded HTML inside these elements passes through the sanitizer as decoded, unescaped HTML, allowing injection of arbitrary tags including XSS payloads. This affects any application using sanitize-html that includes `option` or `textarea` in its `allowedTags` configuration.
## Details
The vulnerable code is at `packages/sanitize-html/index.js:569-573`:
```javascript
} else if ((options.disallowedTagsMode === 'discard' || options.disallowedTagsMode === 'completelyDiscard') && (nonTextTagsArray.indexOf(tag) !== -1)) {
// html
Red Hat
sanitize-html: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
vendor_redhat·2026-04-15·CVSS 6.1
CVE-2026-40186 [MEDIUM] CWE-838 sanitize-html: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
sanitize-html: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). ApostropheCMS version 4.28.0 is affected through its dependency on the vulnerable sanitize-html version. The code at packages/sanitize-html/index.js:569-573 incorrectly assumes that htmlparser2 does not decode entities inside these elements and skips escaping, but htmlparser2 10.x does decode entities before passing text to the ontext callback. As a result, entity-encoded HTML is decoded by the
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-40186 cockatrice: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 cockatrice: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
CVE-2026-40186 cockatrice: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40186 golang-github-apache-beam-2: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 golang-github-apache-beam-2: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
CVE-2026-40186 golang-github-apache-beam-2: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40186 glances: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 glances: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
CVE-2026-40186 glances: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2026-40186 python-jupyterlab_pygments: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 python-jupyterlab_pygments: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
CVE-2026-40186 python-jupyterlab_pygments: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40186 python-jupyterlab_pygments: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 python-jupyterlab_pygments: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
CVE-2026-40186 python-jupyterlab_pygments: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40186 python-ipyparallel: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 python-ipyparallel: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
CVE-2026-40186 python-ipyparallel: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40186 python-jupyterlab-widgets: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 python-jupyterlab-widgets: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
CVE-2026-40186 python-jupyterlab-widgets: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40186 jupyterlab: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 jupyterlab: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
CVE-2026-40186 jupyterlab: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40186 prometheus: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 prometheus: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
CVE-2026-40186 prometheus: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40186 python-nbdime: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 python-nbdime: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
CVE-2026-40186 python-nbdime: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
CVE-2026-40186 affects version 2.17.1 only of sanitize-html. Neither older nor newer versions are affected. The python-nbdime package currently has version 2.12.1.
Bugzilla
CVE-2026-40186 python-jupytext: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 python-jupytext: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
CVE-2026-40186 python-jupytext: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
CVE-2026-40186 affects version 2.17.1 only of sanitize-html. Neither older nor newer releases are affected. The python-jupytext package currently has version 2.12.1.
Bugzilla
CVE-2026-40186 jupyterlab: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 jupyterlab: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
CVE-2026-40186 jupyterlab: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40186 python-jupyterlab-widgets: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 python-jupyterlab-widgets: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
CVE-2026-40186 python-jupyterlab-widgets: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40186 python-ipyparallel: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 python-ipyparallel: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
CVE-2026-40186 python-ipyparallel: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40186 prometheus: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 prometheus: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
CVE-2026-40186 prometheus: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40186 glances: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
bugzilla·2026-06-16·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 glances: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
CVE-2026-40186 glances: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40186 sanitize-html: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
bugzilla·2026-04-15·CVSS 6.1
CVE-2026-40186 [MEDIUM] CVE-2026-40186 sanitize-html: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
CVE-2026-40186 sanitize-html: ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). ApostropheCMS version 4.28.0 is affected through its dependency on the vulnerable sanitize-html version. The code at packages/sanitize-html/index.js:569-573 incorrectly assumes that htmlparser2 does not decode entities inside these elements and skips escaping, but htmlparser2 10.x does decode entities before passing text to the ontext callback. As a result, entity-encoded HTML is
2026-04-15
Published