Description
ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). ApostropheCMS version 4.28.0 is affected through its dependency on the vulnerable sanitize-html version. The code at packages/sanitize-html/index.js:569-573 incorrectly assumes that htmlparser2 does not decode entities inside these elements and skips escaping, but htmlparser2 10.x does decode entities before passing text to the ontext callback. As a result, entity-encoded HTML is decoded by the parser and then written directly to the output as literal HTML characters, completely bypassing the allowedTags filter. An attacker can inject arbitrary tags including XSS payloads through any allowed option or textarea element using entity encoding. This affects non-default configurations where option or textarea are included in allowedTags, which is common in form builders and CMS platforms. This issue has been fixed in version 2.17.2 of sanitize-html and 4.29.0 of ApostropheCMS.
Published: 2026-04-15
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: Cross‑Site Scripting (XSS) via Tag Injection
Action: Immediate Patch
AI Analysis

Impact

A regression introduced in a specific commit of the sanitize‑html package causes the library to incorrectly skip escaping of text inside certain non‑text tags such as textarea and option. The parser decodes entity‑encoded characters before passing them to the callback, which results in entity‑decoded HTML being written directly to the output, bypassing the allowedTags filter. An attacker who can supply encoded input to these elements is able to inject arbitrary tags—including XSS payloads—into the rendered page. The vulnerability affects any configuration that permits textarea or option in its allowlist, a scenario common in form builders and content management platforms.

Affected Systems

ApostropheCMS version 4.28.0 is impacted because it depends on the vulnerable sanitize‑html 2.17.1. The sanitize‑html package itself is affected when used in versions 2.17.1 and earlier. The issue is resolved starting with sanitize‑html 2.17.2 and ApostropheCMS 4.29.0.

Risk and Exploitability

The CVSS base score for this issue is 6.1, indicating a moderate level of risk. EPSS data is not currently available, and the vulnerability has not been listed in the CISA KEV catalog. Attackers could exploit the flaw by submitting specially crafted, entity‑encoded content through any form element that includes textarea or option in its allowedTags list, causing the escaped input to be rendered as literal markup in users’ browsers. Properly configured controls can reduce the risk, but the presence of the allowedTags loophole creates a straightforward path for client‑side code injection.

Generated by OpenCVE AI on April 16, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ApostropheCMS to version 4.29.0 or later, which includes the fixed sanitize‑html dependency
  • If using sanitize‑html directly, update the package to at least 2.17.2 to obtain the fix
  • As a temporary workaround, exclude the ‘textarea’ and ‘option’ tags from the allowedTags list in the sanitize‑html configuration until a patch is applied

Generated by OpenCVE AI on April 16, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). ApostropheCMS version 4.28.0 is affected through its dependency on the vulnerable sanitize-html version. The code at packages/sanitize-html/index.js:569-573 incorrectly assumes that htmlparser2 does not decode entities inside these elements and skips escaping, but htmlparser2 10.x does decode entities before passing text to the ontext callback. As a result, entity-encoded HTML is decoded by the parser and then written directly to the output as literal HTML characters, completely bypassing the allowedTags filter. An attacker can inject arbitrary tags including XSS payloads through any allowed option or textarea element using entity encoding. This affects non-default configurations where option or textarea are included in allowedTags, which is common in form builders and CMS platforms. This issue has been fixed in version 2.17.2 of sanitize-html and 4.29.0 of ApostropheCMS.
Title ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T20:15:12.333Z

Reserved: 2026-04-09T20:59:17.620Z

Link: CVE-2026-40186

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-15T21:17:27.523

Modified: 2026-04-15T21:17:27.523

Link: CVE-2026-40186

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:30:21Z

Weaknesses