CVE-2026-53606
published 2026-06-12CVE-2026-53606: ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.14%
3.4th percentile
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`, `data`, `poster`, `background`, `ping`, `xlink:href`, `dynsrc`, `lowsrc`), but none of these are included in the default gate list. When a developer allows any of these attributes in their configuration, `javascript:` URIs pass through completely unmodified, enabling XSS. Version 2.17.5 patches the issue.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apostrophecms | sanitize-html | < 2.17.5 | 2.17.5 |
| container-native-virtualization | kubevirt-console-plugin-rhel9 | — | — |
| devspaces | dashboard-rhel9 | — | — |
| multicluster-engine | console-mce-rhel9 | — | — |
| network-observability | network-observability-console-plugin-rhel9 | — | — |
| open-telemetry | opentelemetry-collector-contrib | — | — |
| openshift-gitops-1 | console-plugin-rhel8 | — | — |
| openshift3 | ose-console | — | — |
| openshift4 | ose-agent-installer-ui-rhel9 | — | — |
| openshift4 | ose-console | — | — |
| openshift4 | ose-console-rhel9 | — | — |
| quay | quay-rhel8 | — | — |
| quay | quay-rhel9 | — | — |
| rhacm2 | console-rhel9 | — | — |
| rhdh | rhdh-hub-rhel9 | — | — |
| rhoai | odh-mlflow-rhel9 | — | — |
| satellite | iop-advisor-frontend-rhel9 | — | — |
| satellite | iop-host-inventory-frontend-rhel9 | — | — |
| satellite | iop-vulnerability-frontend-rhel9 | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
apostrophecms sanitize-html: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation
vendor_redhat·2026-06-12·CVSS 5.4
CVE-2026-53606 [MEDIUM] CWE-79 apostrophecms sanitize-html: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation
apostrophecms sanitize-html: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`, `data`, `poster`, `background`, `ping`, `xlink:href`, `dynsrc`, `lowsrc`), but none of these are included in the default gate list. When a developer allows any of these attributes in their configuration, `javascript:` URIs pass through com
VulDB
apostrophecms apostrophe up to 2.17.4 API naughtyHref cross site scripting (GHSA-vccv-cmxp-4j9h)
vuldb·2026-06-13·CVSS 5.4
CVE-2026-53606 [MEDIUM] apostrophecms apostrophe up to 2.17.4 API naughtyHref cross site scripting (GHSA-vccv-cmxp-4j9h)
A vulnerability categorized as problematic has been discovered in apostrophecms apostrophe up to 2.17.4. This affects the function naughtyHref of the component API. The manipulation results in cross site scripting.
This vulnerability is reported as CVE-2026-53606. The attack can be launched remotely. No exploit exists.
It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-53606 glances: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 glances: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
CVE-2026-53606 glances: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`, `data`
Bugzilla
CVE-2026-53606 prometheus: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 prometheus: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
CVE-2026-53606 prometheus: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`, `da
Bugzilla
CVE-2026-53606 python-jupyterlab_pygments: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 python-jupyterlab_pygments: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
CVE-2026-53606 python-jupyterlab_pygments: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `
Bugzilla
CVE-2026-53606 jupyterlab: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 jupyterlab: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
CVE-2026-53606 jupyterlab: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`, `da
Bugzilla
CVE-2026-53606 python-jupyterlab_pygments: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 python-jupyterlab_pygments: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
CVE-2026-53606 python-jupyterlab_pygments: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `fo
Bugzilla
CVE-2026-53606 prometheus: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 prometheus: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
CVE-2026-53606 prometheus: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`, `data
Bugzilla
CVE-2026-53606 cockatrice: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 cockatrice: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
CVE-2026-53606 cockatrice: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`, `da
Bugzilla
CVE-2026-53606 python-jupyterlab-widgets: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 python-jupyterlab-widgets: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
CVE-2026-53606 python-jupyterlab-widgets: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `f
Bugzilla
CVE-2026-53606 python-jupyterlab-widgets: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 python-jupyterlab-widgets: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
CVE-2026-53606 python-jupyterlab-widgets: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `for
Bugzilla
CVE-2026-53606 python-ipyparallel: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 python-ipyparallel: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
CVE-2026-53606 python-ipyparallel: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formacti
Bugzilla
CVE-2026-53606 golang-github-apache-beam-2: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 golang-github-apache-beam-2: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
CVE-2026-53606 golang-github-apache-beam-2: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`,
Bugzilla
CVE-2026-53606 python-jupytext: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 python-jupytext: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
CVE-2026-53606 python-jupytext: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`
Bugzilla
CVE-2026-53606 jupyterlab: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 jupyterlab: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
CVE-2026-53606 jupyterlab: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`, `data
Bugzilla
CVE-2026-53606 glances: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 glances: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
CVE-2026-53606 glances: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`, `data`,
Bugzilla
CVE-2026-53606 python-nbdime: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 python-nbdime: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
CVE-2026-53606 python-nbdime: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`,
Bugzilla
CVE-2026-53606 python-ipyparallel: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
bugzilla·2026-06-30·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 python-ipyparallel: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
CVE-2026-53606 python-ipyparallel: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction
Bugzilla
CVE-2026-53606 apostrophecms sanitize-html: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation
bugzilla·2026-06-12·CVSS 5.4
CVE-2026-53606 [MEDIUM] CVE-2026-53606 apostrophecms sanitize-html: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation
CVE-2026-53606 apostrophecms sanitize-html: sanitize-html: Cross-Site Scripting (XSS) via insufficient URI scheme validation
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`, `data`, `poster`, `background`, `ping`, `xlink:href`, `dynsrc`, `lowsrc`), but none of these are included in the default gate list. When a developer allows any of these attributes in their configuration, `javascript:` URIs p
2026-06-12
Published