CVE-2026-40186
Received Received - Intake
XSS Vulnerability in ApostropheCMS via sanitize-html Entity Decoding

Publication date: 2026-04-15

Last updated on: 2026-04-25

Assigner: GitHub, Inc.

Description
ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). ApostropheCMS version 4.28.0 is affected through its dependency on the vulnerable sanitize-html version. The code at packages/sanitize-html/index.js:569-573 incorrectly assumes that htmlparser2 does not decode entities inside these elements and skips escaping, but htmlparser2 10.x does decode entities before passing text to the ontext callback. As a result, entity-encoded HTML is decoded by the parser and then written directly to the output as literal HTML characters, completely bypassing the allowedTags filter. An attacker can inject arbitrary tags including XSS payloads through any allowed option or textarea element using entity encoding. This affects non-default configurations where option or textarea are included in allowedTags, which is common in form builders and CMS platforms. This issue has been fixed in version 2.17.2 of sanitize-html and 4.29.0 of ApostropheCMS.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-25
Generated
2026-05-07
AI Q&A
2026-04-16
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40186
EUVD
EUVD-2026-23110
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apostrophecms apostrophecms 4.29.0
apostrophecms sanitize-html to 2.17.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a regression in the sanitize-html package used by ApostropheCMS. It occurs because the code incorrectly assumes that the htmlparser2 library does not decode entities inside certain HTML elements like textarea and option. However, htmlparser2 version 10.x does decode these entities before processing the text. As a result, entity-encoded HTML inside these elements is decoded and then output directly as literal HTML characters, bypassing the allowedTags filter.

This means that an attacker can inject arbitrary HTML tags, including malicious scripts (XSS payloads), through any allowed option or textarea element by using entity encoding. This affects configurations where option or textarea tags are included in allowedTags, which is common in form builders and CMS platforms.

The issue was fixed in sanitize-html version 2.17.2 and ApostropheCMS version 4.29.0.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to inject arbitrary HTML tags, including cross-site scripting (XSS) payloads, into web pages rendered by ApostropheCMS when using vulnerable versions. This can lead to the execution of malicious scripts in the context of users' browsers.

  • Compromise of user data through theft of cookies or session tokens.
  • Defacement or manipulation of website content.
  • Potential redirection of users to malicious sites.
  • Loss of user trust and damage to the website's reputation.

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade the affected packages to the fixed versions.

  • Upgrade sanitize-html to version 2.17.2 or later.
  • Upgrade ApostropheCMS to version 4.29.0 or later.

These updates address the issue where entity-encoded HTML bypasses the allowedTags filter, preventing potential XSS payload injection.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart