Skip to main content

Node.js CVE-2026-40186

| EUVDEUVD-2026-23110 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-15 GitHub_M GHSA-9mrh-v2v3-xpfm
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

6
Patch released
Apr 25, 2026 - 18:15 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
4.29.0,2.17.2
Analysis Generated
Apr 16, 2026 - 00:19 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 21:15 euvd
EUVD-2026-23110
Analysis Generated
Apr 15, 2026 - 21:15 vuln.today
CVE Published
Apr 15, 2026 - 20:15 nvd
MEDIUM 6.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 13 npm packages depend on sanitize-html (11 direct, 2 indirect)

Ecosystem-wide dependent count for version 2.17.2.

DescriptionGitHub Advisory

ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). ApostropheCMS version 4.28.0 is affected through its dependency on the vulnerable sanitize-html version. The code at packages/sanitize-html/index.js:569-573 incorrectly assumes that htmlparser2 does not decode entities inside these elements and skips escaping, but htmlparser2 10.x does decode entities before passing text to the ontext callback. As a result, entity-encoded HTML is decoded by the parser and then written directly to the output as literal HTML characters, completely bypassing the allowedTags filter. An attacker can inject arbitrary tags including XSS payloads through any allowed option or textarea element using entity encoding. This affects non-default configurations where option or textarea are included in allowedTags, which is common in form builders and CMS platforms. This issue has been fixed in version 2.17.2 of sanitize-html and 4.29.0 of ApostropheCMS.

AnalysisAI

Cross-site scripting (XSS) in ApostropheCMS 4.28.0 and sanitize-html 2.17.1 allows remote attackers to bypass HTML tag filtering and inject arbitrary tags through entity-encoded payloads in textarea and option elements. A regression in the sanitize-html parser incorrectly assumes htmlparser2 does not decode entities within non-text elements, causing encoded HTML to be decoded and written directly to output without sanitization. Exploitation requires non-default configurations where textarea or option tags are in the allowedTags list, commonly found in form builders, and user interaction to submit form content. No active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit once configuration conditions are met.

Technical ContextAI

The vulnerability stems from a logic error in sanitize-html's entity-handling code for non-text elements. The sanitize-html package is a Node.js HTML sanitizer that maintains an allowedTags list to prevent XSS attacks. In version 2.17.1, the code at packages/sanitize-html/index.js:569-573 skips HTML entity escaping for textarea and option elements because it incorrectly assumes htmlparser2 (the underlying HTML parser) does not decode HTML entities before passing text content to callbacks. However, htmlparser2 version 10.x changed behavior and now decodes entities before the ontext callback, causing entity-encoded HTML like &#60;script&#62; to be decoded to literal <script> and written directly to output, completely bypassing the allowedTags allowlist. This affects ApostropheCMS 4.28.0 through its direct dependency on the vulnerable sanitize-html 2.17.1 package (CPE: cpe:2.3:a:apostrophecms:apostrophe:*:*:*:*:*:*:*:* and cpe:2.3:a:apostrophecms:sanitize-html:*:*:*:*:*:*:*:*). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), where insufficient escaping of user-controlled input allows injection of unvalidated HTML.

RemediationAI

Upgrade sanitize-html to version 2.17.2 or later, and upgrade ApostropheCMS to version 4.29.0 or later, as confirmed by the GitHub security advisory at https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-9mrh-v2v3-xpfm. For applications that cannot immediately upgrade, remove textarea and option from the allowedTags configuration if they are not essential to functionality-this eliminates the attack vector entirely but may break form-building features if those tags are relied upon. As a temporary compensating control, implement input validation to reject or escape entity-encoded characters (&#...; patterns) in textarea and option element content before sanitization, though this is not a complete mitigation and should not be considered a long-term solution. Applications using ApostropheCMS should prioritize the upgrade path since version 4.29.0 is available and fixes the regression at the source. For sanitize-html library consumers using direct dependency, bumping to 2.17.2 is the minimal fix.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise High Performance Computing 12 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise Micro 5.3 Not-Affected
SUSE Linux Enterprise Micro 5.3 Not-Affected

Share

CVE-2026-40186 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy