Platform
nodejs
Component
node.js
Fixed in
4.28.1
2.17.2
2.17.3
CVE-2026-40186 describes a cross-site scripting (XSS) vulnerability in ApostropheCMS, an open-source Node.js content management system. This vulnerability arises from a regression in the sanitize-html package, specifically affecting versions 2.17.1 and subsequently ApostropheCMS versions before 4.28.0. Exploitation allows attackers to inject malicious scripts, potentially compromising user sessions and website integrity. The vulnerability was published on 2026-04-15 and a fix is available.
The XSS vulnerability allows an attacker to inject arbitrary JavaScript code into a user's browser when they interact with a vulnerable ApostropheCMS website. This can lead to various malicious actions, including session hijacking, defacement of the website, and redirection to phishing sites. The vulnerability specifically targets textarea and option elements, where the sanitize-html package fails to properly escape entities due to an incorrect assumption about the htmlparser2 library. Successful exploitation could result in complete compromise of the affected website and its users, similar to other XSS vulnerabilities where attackers leverage user input to execute malicious code.
CVE-2026-40186 is not currently listed on the CISA KEV catalog. The EPSS score is likely to be Low to Medium, given the requirement for specific user interaction and the availability of a straightforward patch. Public proof-of-concept (PoC) code is not currently available, but the vulnerability's nature makes it likely that PoCs will emerge. The vulnerability was publicly disclosed on 2026-04-15.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40186 is to upgrade ApostropheCMS to version 4.28.0 or sanitize-html to version 2.17.2 or later. If immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing input validation and output encoding on user-supplied data within ApostropheCMS templates. While not a complete fix, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of defense. Monitor ApostropheCMS logs for suspicious activity, particularly unusual JavaScript execution patterns.
Update the sanitize-html package to version 2.17.2 or higher. This corrects an issue that allows arbitrary HTML injection through entity decoding, which could result in Cross-Site Scripting (XSS) attacks. Also, ensure that ApostropheCMS is updated to version 4.29.0 or higher.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40186 is a cross-site scripting (XSS) vulnerability affecting ApostropheCMS versions before 4.28.0, stemming from a bypass in the sanitize-html package. It allows attackers to inject malicious scripts.
You are affected if you are using ApostropheCMS versions prior to 4.28.0, as it relies on a vulnerable version of sanitize-html.
Upgrade ApostropheCMS to version 4.28.0 or sanitize-html to version 2.17.2 or later. Consider input validation and output encoding as a temporary mitigation.
There is no confirmed active exploitation at this time, but the vulnerability's nature makes it likely that exploitation attempts will occur.
Refer to the ApostropheCMS security advisories on their official website for the most up-to-date information and guidance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.