194 matches found
CVE-2026-53606
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use allowedSchemesAppliedToAttributes default: 'href', 'src', 'cite' to gate the naughtyHref function that blocks...
CVE-2026-44990
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...
CVE-2026-53606 sanitize-html has an incomplete URI scheme validation that allows javascript: URIs through action, formaction, data, poster, and background attributes
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use allowedSchemesAppliedToAttributes default: 'href', 'src', 'cite' to gate the naughtyHref function that blocks...
EUVD-2026-36574
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use allowedSchemesAppliedToAttributes default: 'href', 'src', 'cite' to gate the naughtyHref function that blocks...
CVE-2026-53606
A CVE-2026-53606 entry concerns ApostropheCMS (Node.js) and its dependency sanitize-html. The issue arises in sanitize-html versions prior to 2.17.5, where allowedSchemesAppliedToAttributes (default: ['href','src','cite']) do not cover all URI-bearing attributes (e.g., action, formaction, data, p...
CVE-2026-44990
CVE-2026-44990 affects the sanitize-html package used with ApostropheCMS. Under default configuration (disallowedTagsMode: 'discard'), versions before 2.17.4 allow attacker-controlled content inside a disallowed xmp element to bypass sanitization and render as live HTML/JS, enabling stored XSS. T...
CVE-2026-44990 Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...
CVE-2026-44990 Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...
EUVD-2026-36566
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...
PT-2026-48990
Name of the Vulnerable Software and Affected Versions sanitize-html versions prior to 2.17.5 Description The software uses the allowedSchemesAppliedToAttributes variable to control the naughtyHref function, which is designed to block dangerous URI schemes such as javascript: and vbscript:. Howeve...
CVE-2026-40186
ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements textarea and option...
ROOT-APP-NPM-CVE-2026-44990 CVE-2026-44990 in @rootio/sanitize-html - Patched by Root
Root has patched CVE-2026-44990 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-NSWG-ECO-154 NSWG-ECO-154 in @rootio/sanitize-html - Patched by Root
Root has patched NSWG-ECO-154 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2022-25887 CVE-2022-25887 in @rootio/sanitize-html - Patched by Root
Root has patched CVE-2022-25887 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2019-25225 CVE-2019-25225 in @rootio/sanitize-html - Patched by Root
Root has patched CVE-2019-25225 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2024-21501 CVE-2024-21501 in @rootio/sanitize-html - Patched by Root
Root has patched CVE-2024-21501 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2021-26540 CVE-2021-26540 in @rootio/sanitize-html - Patched by Root
Root has patched CVE-2021-26540 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2021-26539 CVE-2021-26539 in @rootio/sanitize-html - Patched by Root
Root has patched CVE-2021-26539 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2017-16016 CVE-2017-16016 in @rootio/sanitize-html - Patched by Root
Root has patched CVE-2017-16016 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2016-1000237 CVE-2016-1000237 in @rootio/sanitize-html - Patched by Root
Root has patched CVE-2016-1000237 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...