CVE-2026-40186: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in apostrophecms apostrophe
ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). ApostropheCMS version 4.28.0 is affected through its dependency on the vulnerable sanitize-html version. The code at packages/sanitize-html/index.js:569-573 incorrectly assumes that htmlparser2 does not decode entities inside these elements and skips escaping, but htmlparser2 10.x does decode entities before passing text to the ontext callback. As a result, entity-encoded HTML is decoded by the parser and then written directly to the output as literal HTML characters, completely bypassing the allowedTags filter. An attacker can inject arbitrary tags including XSS payloads through any allowed option or textarea element using entity encoding. This affects non-default configurations where option or textarea are included in allowedTags, which is common in form builders and CMS platforms. This issue has been fixed in version 2.17.2 of sanitize-html and 4.29.0 of ApostropheCMS.
AI Analysis
Technical Summary
ApostropheCMS 4.28.0 is vulnerable to a cross-site scripting issue via its dependency on sanitize-html 2.17.1, which introduced a regression bypassing allowedTags enforcement for text inside textarea and option elements. The root cause is that sanitize-html incorrectly assumes htmlparser2 does not decode entities inside these elements, leading to unescaped literal HTML output. Attackers can inject arbitrary HTML tags, including XSS payloads, through entity encoding in allowed textarea or option elements. This affects non-default configurations that permit these tags. The vulnerability is resolved in sanitize-html 2.17.2 and ApostropheCMS 4.29.0.
Potential Impact
Successful exploitation allows an attacker to inject arbitrary HTML tags, including malicious scripts, into pages rendered by ApostropheCMS when textarea or option tags are allowed. This can lead to cross-site scripting attacks, potentially compromising user sessions or executing unauthorized actions. The impact is limited to configurations that include textarea or option in allowedTags. There are no known exploits in the wild as of the publication date.
Mitigation Recommendations
A fix is available. Users should upgrade sanitize-html to version 2.17.2 or later and ApostropheCMS to version 4.29.0 or later to remediate this vulnerability. Until upgraded, avoid configurations that allow textarea or option tags in allowedTags if possible. Patch status is confirmed by the vendor advisory indicating the issue is fixed in these versions.
CVE-2026-40186: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in apostrophecms apostrophe
Description
ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). ApostropheCMS version 4.28.0 is affected through its dependency on the vulnerable sanitize-html version. The code at packages/sanitize-html/index.js:569-573 incorrectly assumes that htmlparser2 does not decode entities inside these elements and skips escaping, but htmlparser2 10.x does decode entities before passing text to the ontext callback. As a result, entity-encoded HTML is decoded by the parser and then written directly to the output as literal HTML characters, completely bypassing the allowedTags filter. An attacker can inject arbitrary tags including XSS payloads through any allowed option or textarea element using entity encoding. This affects non-default configurations where option or textarea are included in allowedTags, which is common in form builders and CMS platforms. This issue has been fixed in version 2.17.2 of sanitize-html and 4.29.0 of ApostropheCMS.
CVSS v3.1
Score 6.1medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ApostropheCMS 4.28.0 is vulnerable to a cross-site scripting issue via its dependency on sanitize-html 2.17.1, which introduced a regression bypassing allowedTags enforcement for text inside textarea and option elements. The root cause is that sanitize-html incorrectly assumes htmlparser2 does not decode entities inside these elements, leading to unescaped literal HTML output. Attackers can inject arbitrary HTML tags, including XSS payloads, through entity encoding in allowed textarea or option elements. This affects non-default configurations that permit these tags. The vulnerability is resolved in sanitize-html 2.17.2 and ApostropheCMS 4.29.0.
Potential Impact
Successful exploitation allows an attacker to inject arbitrary HTML tags, including malicious scripts, into pages rendered by ApostropheCMS when textarea or option tags are allowed. This can lead to cross-site scripting attacks, potentially compromising user sessions or executing unauthorized actions. The impact is limited to configurations that include textarea or option in allowedTags. There are no known exploits in the wild as of the publication date.
Mitigation Recommendations
A fix is available. Users should upgrade sanitize-html to version 2.17.2 or later and ApostropheCMS to version 4.29.0 or later to remediate this vulnerability. Until upgraded, avoid configurations that allow textarea or option tags in allowedTags if possible. Patch status is confirmed by the vendor advisory indicating the issue is fixed in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T20:59:17.620Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Epss Score
- 0.0001
- Epss Percentile
- 0.01163
- Epss Date
- 2026-04-26
- Gcve Source
- db.gcve.eu
Threat ID: 69dff5b982d89c981f9734d0
Added to database: 4/15/2026, 8:31:53 PM
Last enriched: 4/22/2026, 11:11:20 PM
Last updated: 5/31/2026, 5:30:54 AM
Views: 74
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.