Lucene search
K

202 matches found

EUVD
EUVD
added 2026/07/01 12:34 a.m.10 views

EUVD-2026-40444

n8n contains a stored cross-site scripting vulnerability in the Chat Trigger node's Custom CSS field due to a misconfiguration of the sanitize-html library. Affected releases are those before 1.123.27, the 2.0.0 through 2.13.2 line, and 2.14.0 fixed in 1.123.27, 2.13.3, and 2.14.1. An authenticat...

5.4CVSS5.6AI score0.00177EPSS
Exploits0References3
NVD
NVD
added 2026/06/30 11:17 p.m.9 views

CVE-2026-56356

n8n contains a stored cross-site scripting vulnerability in the Chat Trigger node's Custom CSS field due to a misconfiguration of the sanitize-html library. Affected releases are those before 1.123.27, the 2.0.0 through 2.13.2 line, and 2.14.0 fixed in 1.123.27, 2.13.3, and 2.14.1. An authenticat...

5.4CVSS0.00177EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/30 10:8 p.m.4 views

CVE-2026-56356

n8n contains a stored cross-site scripting vulnerability in the Chat Trigger node's Custom CSS field due to a misconfiguration of the sanitize-html library. Affected releases are those before 1.123.27, the 2.0.0 through 2.13.2 line, and 2.14.0 fixed in 1.123.27, 2.13.3, and 2.14.1. An authenticat...

5.4CVSS5.6AI score0.00177EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/06/30 10:8 p.m.16 views

CVE-2026-56356

Summary: CVE-2026-56356 affects n8n’s Chat Trigger node Custom CSS field, where a misconfiguration of the sanitize-html library allows stored XSS. Affected versions: before 1.123.27; 2.0.0–2.13.2; 2.14.0. Impact: an authenticated user with workflow creation/modification rights can inject JavaScri...

5.4CVSS5.6AI score0.00177EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/30 5:40 p.m.8 views

CVE-2026-53606

A flaw was found in sanitize-html, an HTML sanitizer library. This vulnerability allows a remote attacker to perform Cross-Site Scripting XSS attacks. The issue occurs because the sanitizer does not properly validate dangerous URI schemes, such as javascript:, when they are used in certain HTML...

5.4CVSS5.8AI score0.00136EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.5 views

PT-2026-54040

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.27 n8n versions 2.0.0 through 2.13.2 n8n version 2.14.0 Description A stored cross-site scripting issue exists in the Chat Trigger node's Custom CSS field caused by a misconfiguration of the sanitize-html library. A...

5.4CVSS5.8AI score0.00177EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/25 7:0 p.m.4 views

CVE-2026-44990

A flaw was found in the sanitize-html library. Under its default configuration, an attacker can embed malicious content within a disallowed xmp element. This vulnerability allows the attacker to bypass the HTML sanitization process, leading to stored Cross-Site Scripting XSS. Successful...

9.3CVSS6.3AI score0.00397EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/12 10:9 p.m.6 views

Cross-site Scripting (XSS)

Overview sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Cross-site Scripting XSS incomplete validation of URI schemes in attributes su...

5.4CVSS5.3AI score0.00136EPSS
Exploits0References2
NVD
NVD
added 2026/06/12 9:16 p.m.16 views

CVE-2026-53606

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use allowedSchemesAppliedToAttributes default: 'href', 'src', 'cite' to gate the naughtyHref function that blocks...

5.4CVSS0.00136EPSS
Exploits0References1
NVD
NVD
added 2026/06/12 9:16 p.m.21 views

CVE-2026-44990

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...

9.3CVSS0.00397EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 8:50 p.m.11 views

EUVD-2026-36574

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use allowedSchemesAppliedToAttributes default: 'href', 'src', 'cite' to gate the naughtyHref function that blocks...

5.4CVSS5.3AI score0.00136EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 8:50 p.m.32 views

CVE-2026-53606

A CVE-2026-53606 entry concerns ApostropheCMS (Node.js) and its dependency sanitize-html. The issue arises in sanitize-html versions prior to 2.17.5, where allowedSchemesAppliedToAttributes (default: ['href','src','cite']) do not cover all URI-bearing attributes (e.g., action, formaction, data, p...

5.4CVSS5.3AI score0.00136EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 8:50 p.m.35 views

CVE-2026-53606 sanitize-html has an incomplete URI scheme validation that allows javascript: URIs through action, formaction, data, poster, and background attributes

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use allowedSchemesAppliedToAttributes default: 'href', 'src', 'cite' to gate the naughtyHref function that blocks...

5.4CVSS0.00136EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 8:39 p.m.9 views

CVE-2026-44990 Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...

9.3CVSS5.1AI score0.00397EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:39 p.m.10 views

EUVD-2026-36566

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...

9.3CVSS5.2AI score0.00397EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 8:39 p.m.69 views

CVE-2026-44990

CVE-2026-44990 affects the sanitize-html package used with ApostropheCMS. Under default configuration (disallowedTagsMode: 'discard'), versions before 2.17.4 allow attacker-controlled content inside a disallowed xmp element to bypass sanitization and render as live HTML/JS, enabling stored XSS. T...

9.3CVSS5.2AI score0.00397EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/12 8:39 p.m.38 views

CVE-2026-44990 Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...

9.3CVSS0.00397EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.33 views

PT-2026-48990

Name of the Vulnerable Software and Affected Versions sanitize-html versions prior to 2.17.5 Description The software uses the allowedSchemesAppliedToAttributes variable to control the naughtyHref function, which is designed to block dangerous URI schemes such as javascript: and vbscript:. Howeve...

5.4CVSS5.2AI score0.00136EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:27 p.m.10 views

CVE-2026-40186

ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements textarea and option...

6.1CVSS5.7AI score0.00235EPSS
Exploits1References1
OSV
OSV
added 2026/06/04 9:5 p.m.10 views

ROOT-APP-NPM-CVE-2026-44990 CVE-2026-44990 in @rootio/sanitize-html - Patched by Root

Root has patched CVE-2026-44990 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...

9.3CVSS5.8AI score0.00397EPSS
Exploits0
Rows per page
Query Builder