Lucene search
K
ApostrophecmsSanitize-html

8 matches found

CVE
CVE
added 2024/02/24 5:0 a.m.286 views

CVE-2024-21501

CVE-2024-21501 – sanitize-html information exposure : The sanitize-html package (pre-2.12.1) on the backend with the style attribute enabled can disclose sensitive filesystem and dependency details by enumerating files. Affected: sanitize-html versions before 2.12.1. Impact is information disclos...

5.3CVSS5AI score0.01018EPSS
CVE
CVE
added 2022/08/30 5:0 a.m.222 views

CVE-2022-25887

CVE-2022-25887 affects the Node.js package Sanitize-html up to version 2.7.1, vulnerable to a Regular Expression Denial of Service (ReDoS) caused by insecure global regex replacement during HTML comment removal. The NVD entry reports a CVSS v3.1 base score of 7.5 (high impact) with network attack...

7.5CVSS6.1AI score0.0115EPSS
CVE
CVE
added 2021/02/08 4:16 p.m.176 views

CVE-2021-26539

CVE-2021-26539 affects Apostrophe Technologies sanitize-html prior to version 2.3.1. The vulnerability arises from improper handling of internationalized domain names (IDN), which can allow an attacker to bypass the hostname whitelist validated by the allowedIframeHostnames option. Impact is bypa...

5.3CVSS5AI score0.01953EPSS
CVE
CVE
added 2021/02/08 4:16 p.m.114 views

CVE-2021-26540

The CVE-2021-26540 issue affects Apostrophe Technologies sanitize-html prior to 2.3.2, where the hostnames set in allowedIframeHostnames could be bypassed when allowIframeRelativeUrls is true, enabling bypass of the hostname whitelist for iframe src values starting with /\example.com. Public disc...

5.3CVSS5.1AI score0.01754EPSS
CVE
CVE
added 2026/04/15 8:15 p.m.72 views

CVE-2026-40186

ApostropheCMS is affected by CVE-2026-40186 due to a regression in sanitize-html (commit 49d0bb7) that bypasses allowedTags for text inside nonTextTagsArray elements (textarea, option). Versions: the vulnerability exists in ApostropheCMS 4.28.0 via its sanitize-html dependency (2.17.1). The root ...

6.1CVSS6AI score0.00235EPSS
CVE
CVE
added 2020/01/23 2:21 p.m.55 views

CVE-2016-1000237

CVE-2016-1000237 affects sanitize-html prior to 1.4.3, where input is not sanitized recursively which may allow XSS. Documented in multiple sources (Node.js advisory GHSA-3J7M-HMH3-9JMP, Red Hat, Debian, NVD/NVD list). Impact is cross-site scripting via vulnerable sanitize-html versions; exploita...

6.1CVSS6.2AI score0.0084EPSS
CVE
CVE
added 2025/09/08 10:2 a.m.30 views

CVE-2019-25225

The CVE-2019-25225 entry has concrete details in connected documents: sanitize-html (pre-2.0.0-beta) is vulnerable to XSS when using the custom transformTags option. The vulnerability originates in sanitizeHtml() in index.js, which does not sanitize content under transformTags, allowing transform...

6.1CVSS6.1AI score0.00251EPSS
CVE
CVE
added 2025/09/08 10:9 a.m.21 views

CVE-2014-125128

CVE-2014-125128 affects the sanitize-html library prior to 1.0.3. The root cause is the naughtyHref function not properly validating the href attribute in tags, allowing bypasses that rely on different casings, whitespace, or hexadecimal encodings. This leads to cross-site scripting (XSS) impact...

6.1CVSS6.1AI score0.00256EPSS