8 matches found
CVE-2024-21501
CVE-2024-21501 – sanitize-html information exposure : The sanitize-html package (pre-2.12.1) on the backend with the style attribute enabled can disclose sensitive filesystem and dependency details by enumerating files. Affected: sanitize-html versions before 2.12.1. Impact is information disclos...
CVE-2022-25887
CVE-2022-25887 affects the Node.js package Sanitize-html up to version 2.7.1, vulnerable to a Regular Expression Denial of Service (ReDoS) caused by insecure global regex replacement during HTML comment removal. The NVD entry reports a CVSS v3.1 base score of 7.5 (high impact) with network attack...
CVE-2021-26539
CVE-2021-26539 affects Apostrophe Technologies sanitize-html prior to version 2.3.1. The vulnerability arises from improper handling of internationalized domain names (IDN), which can allow an attacker to bypass the hostname whitelist validated by the allowedIframeHostnames option. Impact is bypa...
CVE-2021-26540
The CVE-2021-26540 issue affects Apostrophe Technologies sanitize-html prior to 2.3.2, where the hostnames set in allowedIframeHostnames could be bypassed when allowIframeRelativeUrls is true, enabling bypass of the hostname whitelist for iframe src values starting with /\example.com. Public disc...
CVE-2026-40186
ApostropheCMS is affected by CVE-2026-40186 due to a regression in sanitize-html (commit 49d0bb7) that bypasses allowedTags for text inside nonTextTagsArray elements (textarea, option). Versions: the vulnerability exists in ApostropheCMS 4.28.0 via its sanitize-html dependency (2.17.1). The root ...
CVE-2016-1000237
CVE-2016-1000237 affects sanitize-html prior to 1.4.3, where input is not sanitized recursively which may allow XSS. Documented in multiple sources (Node.js advisory GHSA-3J7M-HMH3-9JMP, Red Hat, Debian, NVD/NVD list). Impact is cross-site scripting via vulnerable sanitize-html versions; exploita...
CVE-2019-25225
The CVE-2019-25225 entry has concrete details in connected documents: sanitize-html (pre-2.0.0-beta) is vulnerable to XSS when using the custom transformTags option. The vulnerability originates in sanitizeHtml() in index.js, which does not sanitize content under transformTags, allowing transform...
CVE-2014-125128
CVE-2014-125128 affects the sanitize-html library prior to 1.0.3. The root cause is the naughtyHref function not properly validating the href attribute in tags, allowing bypasses that rely on different casings, whitespace, or hexadecimal encodings. This leads to cross-site scripting (XSS) impact...