Lucene search
K

4 matches found

EUVD
EUVD
added 2026/06/12 8:39 p.m.10 views

EUVD-2026-36566

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...

9.3CVSS5.2AI score0.00397EPSS
Exploits0References1
OSV
OSV
added 2026/06/12 8:39 p.m.3 views

CVE-2026-44990 Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...

9.3CVSS5.9AI score0.00397EPSS
Exploits0References8
OSV
OSV
added 2026/05/14 6:26 p.m.7 views

GHSA-RPR9-RXV7-X643 Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

Summary Under the default configuration, sanitize-html can turn attacker-controlled content inside a disallowed xmp element into live HTML or JavaScript. This is a sanitizer bypass in the default disallowedTagsMode: 'discard' path and can lead to stored XSS in applications that render sanitized...

9.3CVSS6AI score0.00397EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/14 6:26 p.m.40 views

Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

Summary Under the default configuration, sanitize-html can turn attacker-controlled content inside a disallowed xmp element into live HTML or JavaScript. This is a sanitizer bypass in the default disallowedTagsMode: 'discard' path and can lead to stored XSS in applications that render sanitized...

9.3CVSS6AI score0.00397EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder