CVE-2026-40186

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.29.0 sanitize-html version 2.17.1

Description A regression in the sanitize-html package allows a bypass of allowedTags enforcement for text within nonTextTagsArray elements, specifically textarea and option. The code in 'packages/sanitize-html/index.js' incorrectly assumes that htmlparser2 does not decode entities inside these elements and skips escaping. However, htmlparser2 10.x decodes entities before passing text to the ontext callback, causing entity-encoded HTML to be written directly to the output as literal HTML characters. This enables an attacker to inject arbitrary tags, including cross-site scripting (XSS) payloads, through any allowed option or textarea element using entity encoding. This occurs in non-default configurations where these elements are included in allowedTags.

Recommendations Update ApostropheCMS to version 4.29.0. Update sanitize-html to version 2.17.2.