CVE-2026-53606
Received Received - Intake
Stored XSS in ApostropheCMS via sanitize-html

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`, `data`, `poster`, `background`, `ping`, `xlink:href`, `dynsrc`, `lowsrc`), but none of these are included in the default gate list. When a developer allows any of these attributes in their configuration, `javascript:` URIs pass through completely unmodified, enabling XSS. Version 2.17.5 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-53606
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sanitize-html sanitize-html to 2.17.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade sanitize-html to version 2.17.5 or later, where the issue with dangerous URI schemes passing through unmodified has been patched.

Executive Summary

This vulnerability exists in versions of sanitize-html prior to 2.17.5. The library uses a setting called allowedSchemesAppliedToAttributes to control which HTML attributes are checked for dangerous URI schemes like javascript: and vbscript:. By default, only a few attributes such as href, src, and cite are checked. However, the HTML specification includes many other attributes that can contain URIs, such as action, formaction, data, poster, background, ping, xlink:href, dynsrc, and lowsrc. These additional attributes were not included in the default checks, so if a developer allowed any of these attributes, malicious javascript: URIs could pass through unfiltered. This enables cross-site scripting (XSS) attacks. The issue was fixed in version 2.17.5.

Impact Analysis

This vulnerability can allow attackers to inject malicious JavaScript code into web pages by exploiting unfiltered URI attributes. This leads to cross-site scripting (XSS) attacks, which can compromise user data, hijack user sessions, deface websites, or perform unauthorized actions on behalf of users. The impact includes loss of data confidentiality and integrity, and potential damage to the reputation of affected websites.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53606. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart