The vulnerability is an incomplete URI scheme validation in sanitize-html that allows javascript: URIs to pass through the sanitizer when the attributes action, formaction, data, poster, background, ping, xlink:href, dynsrc, or lowsrc are enabled. This weakness, classified as CWE‑79, can be exploited to inject malicious scripts into web pages viewed by users, leading to theft of credentials, session hijacking, or defacement. The affected code has a CVSS score of 5.4, indicating a moderate impact on confidentiality, integrity, and availability when an attacker succeeds.

All instances of ApostropheCMS that use the sanitize-html package prior to version 2.17.5 are affected. The vulnerability arises when a developer explicitly allows any of the URI‑accepting attributes (action, formaction, data, poster, background, ping, xlink:href, dynsrc, lowsrc) in the sanitization configuration. The default safeguard only covers the href, src, and cite attributes, so developers must be aware of this gap when promoting the library as a full HTML sanitizer.

The CVSS score of 5.4 reflects a moderate risk profile; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this flaw by submitting crafted HTML through any interface that forwards content to the sanitizer, such as rich‑text editors or comment fields. Because the flaw resides in the sanitization function, no elevated privileges or authentication are needed. The attack vector is a client‑side injection where malicious javascript: URIs are rendered in the target browser, executing arbitrary code in the context of the site.