XSS Bypass Vulnerability in ApostropheCMS through Sanitize-HTML NPM Package
CVE-2026-40186

6.1MEDIUM

Key Information:

Vendor: Apostrophecms
Status: Apostrophe; Sanitize-html
Vendor: CVE Published:; 15 April 2026

🔔 Create Apostrophecms Vulnerability Alert

What is CVE-2026-40186?

ApostropheCMS, a popular open-source Node.js content management system, has a vulnerability stemming from a regression in version 2.17.1 of the sanitize-html package. This issue permits an attacker to inject arbitrary HTML tags via textarea or option elements by bypassing the allowedTags filter. The flaw arises because the sanitize-html package fails to correctly escape entity-encoded HTML within nonTextTagsArray elements, allowing potentially malicious content to be executed when user input is rendered. This vulnerability specifically affects configurations where these elements are included in allowedTags, making it prevalent in many CMS platforms and form builders. The issue has been addressed in subsequent updates (sanitize-html 2.17.2 and ApostropheCMS 4.29.0).

Affected Version(s)

apostrophe >= 4.28.0, < 4.29.0

sanitize-html >= 2.17.1, < 2.17.2

References

https://github.com/apostrophecms/apostrophe/security/advi...

x_refsource_CONFIRM

https://github.com/apostrophecms/apostrophe/commit/7ca2d1...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40186 Data

JSON