CVE-2026-40186 Overview
CVE-2026-40186 is a Cross-Site Scripting (XSS) vulnerability affecting ApostropheCMS and its sanitize-html package dependency. A regression introduced in commit 49d0bb7 (included in sanitize-html version 2.17.1) bypasses the allowedTags enforcement mechanism for text inside nonTextTagsArray elements, specifically textarea and option tags. This allows attackers to inject arbitrary HTML and JavaScript through entity-encoded payloads, completely circumventing the sanitization protections.
Critical Impact
Attackers can inject arbitrary XSS payloads through allowed option or textarea elements using entity encoding, enabling session hijacking, credential theft, and malicious content injection on affected CMS platforms and form builders.
Affected Products
- ApostropheCMS version 4.28.0 (through dependency on vulnerable sanitize-html)
- sanitize-html package versions 2.17.1 and prior to 2.17.2
- Node.js applications using affected sanitize-html versions with option or textarea in allowedTags
Discovery Timeline
- 2026-04-15 - CVE-2026-40186 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-40186
Vulnerability Analysis
The vulnerability stems from an incorrect assumption about how htmlparser2 version 10.x handles entity decoding inside raw text elements. The vulnerable code at packages/sanitize-html/index.js:569-573 assumed that htmlparser2 does not decode entities inside elements like textarea and option, and therefore skipped escaping for text content within these tags. However, htmlparser2 10.x actually does decode entities before passing text to the ontext callback.
This behavioral change in the parser library created a critical security gap: entity-encoded HTML sequences (e.g., <script>) are first decoded by the parser into literal HTML characters (<script>), then written directly to the output without sanitization. The allowedTags filter is completely bypassed because the malicious tags are encoded during input but become active HTML in the output.
Root Cause
The root cause is a flawed assumption in the sanitize-html library about the behavior of its underlying HTML parser. The code incorrectly treated all tags in nonTextTagsArray (including option) as raw text elements that preserve entity encoding, when in fact only textarea and xmp are true raw text elements in htmlparser2. The option element's content is decoded by the parser, meaning entity-encoded payloads like <script>alert(1)</script> become executable HTML after parsing.
Attack Vector
The attack requires a non-default configuration where option or textarea elements are included in allowedTags, which is common in form builders and CMS platforms that allow user-generated forms. An attacker can craft input containing entity-encoded malicious HTML within these allowed elements. When the input passes through the vulnerable sanitize-html function, the entity encoding is decoded by the parser but not re-escaped, resulting in XSS execution in the victim's browser.
// your concern, don't allow them. The same is essentially true for style tags
// which have their own collection of XSS vectors.
result += text;
- } else if ((options.disallowedTagsMode === 'discard' || options.disallowedTagsMode === 'completelyDiscard') && (nonTextTagsArray.indexOf(tag) !== -1)) {
- // htmlparser2 does not decode entities inside raw text elements like
- // textarea and option. The text is already properly encoded, so pass
- // it through without additional escaping to avoid double-encoding.
+ } else if ((options.disallowedTagsMode === 'discard' || options.disallowedTagsMode === 'completelyDiscard') && (tag === 'textarea' || tag === 'xmp')) {
+ // htmlparser2 treats <textarea> and <xmp> as raw text elements and
+ // does NOT decode entities inside them. The text is already properly
+ // encoded, so pass it through without additional escaping to avoid
+ // double-encoding. Other "nonTextTags" like <option> are not raw text
+ // elements in htmlparser2, so their contents are decoded and must be
+ // escaped below like any other text (important to prevent XSS via
+ // entity-encoded payloads such as <option><script>...</script></option>).
result += text;
} else if (!addedText) {
const escaped = escapeHtml(text, false);
Source: GitHub Commit
Detection Methods for CVE-2026-40186
Indicators of Compromise
- Presence of entity-encoded HTML sequences within option or textarea elements in user-submitted content (e.g., <script>, <img, <svg)
- Unexpected JavaScript execution or DOM modifications on pages displaying user-generated content
- Web application logs showing unusual form submissions containing encoded HTML entities in select options or text areas
- Browser console errors related to Content Security Policy violations from inline script attempts
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect entity-encoded XSS payloads within form fields, particularly targeting option and textarea content
- Deploy Content Security Policy (CSP) headers with strict inline script restrictions to detect and block XSS execution attempts
- Review application dependencies for vulnerable sanitize-html versions (2.17.1 and earlier before the fix)
- Audit server-side logs for submissions containing patterns like <script or <script within form data
Monitoring Recommendations
- Enable verbose logging on form submission endpoints to capture raw input data for security analysis
- Monitor for CSP violation reports that may indicate XSS exploitation attempts
- Set up dependency scanning to alert on vulnerable package versions in your Node.js applications
- Implement real-time monitoring for anomalous JavaScript execution patterns in user-facing content areas
How to Mitigate CVE-2026-40186
Immediate Actions Required
- Upgrade sanitize-html package to version 2.17.2 or later immediately
- Upgrade ApostropheCMS to version 4.29.0 or later if using the full CMS platform
- Review any custom allowedTags configurations that include option or textarea elements and assess exposure
- Audit recently submitted user content for potential exploitation attempts
Patch Information
The vulnerability has been patched in sanitize-html version 2.17.2 and ApostropheCMS version 4.29.0. The fix modifies the text handling logic to only skip escaping for true raw text elements (textarea and xmp), while properly escaping content in option elements and other non-raw-text tags. For detailed patch information, see the GitHub Security Advisory and patch commit.
Workarounds
- Remove option from your allowedTags configuration if it is not strictly required for your application's functionality
- Implement additional server-side input validation that decodes and re-validates content before passing to sanitize-html
- Deploy Content Security Policy headers with script-src restrictions to limit the impact of any successful XSS injection
- Consider implementing a secondary sanitization pass using an alternative library until the patch can be applied
# Upgrade sanitize-html to patched version
npm update sanitize-html@2.17.2
# Or for ApostropheCMS users, upgrade the full platform
npm update apostrophe@4.29.0
# Verify the installed version
npm list sanitize-html
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
