Skip to main content

sanitize-html CVE-2026-53606

| EUVDEUVD-2026-36574 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-12 GitHub_M
5.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
4.4 MEDIUM

AC:H reflects the mandatory non-default configuration prerequisite (permitting a URI-bearing attribute) that is entirely outside the attacker's control.

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 22:01 EUVD
Analysis Generated
Jun 12, 2026 - 21:29 vuln.today

DescriptionCVE.org

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use allowedSchemesAppliedToAttributes (default: ['href', 'src', 'cite']) to gate the naughtyHref() function that blocks dangerous URI schemes like javascript: and vbscript:. The HTML specification defines 10+ attributes that accept URIs (action, formaction, data, poster, background, ping, xlink:href, dynsrc, lowsrc), but none of these are included in the default gate list. When a developer allows any of these attributes in their configuration, javascript: URIs pass through completely unmodified, enabling XSS. Version 2.17.5 patches the issue.

AnalysisAI

Cross-site scripting in sanitize-html prior to 2.17.5 allows low-privileged attackers to inject executable javascript: URIs through HTML attributes that the library's scheme-blocking logic never inspects. The naughtyHref() function gates dangerous URI schemes only for attributes listed in allowedSchemesAppliedToAttributes (defaulting to href, src, and cite), leaving attributes such as action, formaction, data, poster, background, ping, xlink:href, dynsrc, and lowsrc entirely unchecked. Applications that explicitly permit any of these attributes in their sanitize-html configuration are vulnerable; no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.

Technical ContextAI

sanitize-html is a widely used Node.js library (CPE: cpe:2.3:a:apostrophecms:sanitize-html) that strips or transforms HTML to a developer-defined allowlist. Its URI safety check, naughtyHref(), inspects attribute values for dangerous schemes (javascript:, vbscript:, etc.) only when the attribute name appears in the allowedSchemesAppliedToAttributes configuration array. The default value of this array covers only href, src, and cite, yet the HTML specification defines over ten additional attributes that can carry URI values - including action and formaction on forms, data on <object>, poster on <video>/<audio>, and SVG-related xlink:href. Because none of these are in the default gate list, any application that extends its sanitize-html allowedAttributes configuration to permit them inadvertently disables scheme validation for those attributes entirely. This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) root cause: user-controlled URI data reaches browser execution context without sanitization.

RemediationAI

Upgrade sanitize-html to version 2.17.5 or later, which is the vendor-confirmed patched release per GHSA-vccv-cmxp-4j9h (https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-vccv-cmxp-4j9h). Run npm update sanitize-html or pin "sanitize-html": ">=2.17.5" in your package.json. If an immediate upgrade is not feasible, audit your sanitize-html allowedAttributes and allowedAttributesGlob configuration and remove any entries for action, formaction, data, poster, background, ping, xlink:href, dynsrc, and lowsrc; this eliminates the attack surface at the cost of potentially breaking form-submission HTML, media embeds, or SVG content your application currently renders. Alternatively, explicitly add all affected attributes to your allowedSchemesAppliedToAttributes array to force scheme checking - this is a viable short-term workaround but requires careful validation that your custom list is exhaustive as new URI-bearing attributes are introduced.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-53606 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy