cbcvebase.
CVE-2026-53606
published 2026-06-12

CVE-2026-53606: ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of…

PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.14%
3.4th percentile
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`, `data`, `poster`, `background`, `ping`, `xlink:href`, `dynsrc`, `lowsrc`), but none of these are included in the default gate list. When a developer allows any of these attributes in their configuration, `javascript:` URIs pass through completely unmodified, enabling XSS. Version 2.17.5 patches the issue.

Affected

19 ranges
VendorProductVersion rangeFixed in
apostrophecmssanitize-html< 2.17.52.17.5
container-native-virtualizationkubevirt-console-plugin-rhel9
devspacesdashboard-rhel9
multicluster-engineconsole-mce-rhel9
network-observabilitynetwork-observability-console-plugin-rhel9
open-telemetryopentelemetry-collector-contrib
openshift-gitops-1console-plugin-rhel8
openshift3ose-console
openshift4ose-agent-installer-ui-rhel9
openshift4ose-console
openshift4ose-console-rhel9
quayquay-rhel8
quayquay-rhel9
rhacm2console-rhel9
rhdhrhdh-hub-rhel9
rhoaiodh-mlflow-rhel9
satelliteiop-advisor-frontend-rhel9
satelliteiop-host-inventory-frontend-rhel9
satelliteiop-vulnerability-frontend-rhel9

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.