平台
nodejs
组件
node.js
修复版本
4.28.1
2.17.2
2.17.3
CVE-2026-40186 describes a cross-site scripting (XSS) vulnerability in ApostropheCMS, an open-source Node.js content management system. This vulnerability arises from a regression in the sanitize-html package, specifically affecting versions 2.17.1 and subsequently ApostropheCMS versions before 4.28.0. Exploitation allows attackers to inject malicious scripts, potentially compromising user sessions and website integrity. The vulnerability was published on 2026-04-15 and a fix is available.
The XSS vulnerability allows an attacker to inject arbitrary JavaScript code into a user's browser when they interact with a vulnerable ApostropheCMS website. This can lead to various malicious actions, including session hijacking, defacement of the website, and redirection to phishing sites. The vulnerability specifically targets textarea and option elements, where the sanitize-html package fails to properly escape entities due to an incorrect assumption about the htmlparser2 library. Successful exploitation could result in complete compromise of the affected website and its users, similar to other XSS vulnerabilities where attackers leverage user input to execute malicious code.
CVE-2026-40186 is not currently listed on the CISA KEV catalog. The EPSS score is likely to be Low to Medium, given the requirement for specific user interaction and the availability of a straightforward patch. Public proof-of-concept (PoC) code is not currently available, but the vulnerability's nature makes it likely that PoCs will emerge. The vulnerability was publicly disclosed on 2026-04-15.
Organizations using ApostropheCMS versions prior to 4.28.0 are at risk. This includes websites and applications built on ApostropheCMS that handle user-generated content, particularly those that rely on textarea and option elements for input. Shared hosting environments utilizing ApostropheCMS are also at increased risk due to the potential for cross-tenant exploitation.
• nodejs / server:
npm list sanitize-html• nodejs / server:
npm audit sanitize-html• generic web: Inspect ApostropheCMS templates for unsanitized user input within textarea and option elements. Look for patterns that bypass HTML escaping. • generic web: Review access logs for unusual JavaScript execution patterns or requests containing suspicious characters within form fields.
disclosure
漏洞利用状态
EPSS
0.01% (1% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-40186 is to upgrade ApostropheCMS to version 4.28.0 or sanitize-html to version 2.17.2 or later. If immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing input validation and output encoding on user-supplied data within ApostropheCMS templates. While not a complete fix, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of defense. Monitor ApostropheCMS logs for suspicious activity, particularly unusual JavaScript execution patterns.
Actualice el paquete sanitize-html a la versión 2.17.2 o superior. Esto corrige un problema que permite la inyección de HTML arbitrario a través de la decodificación de entidades, lo que podría resultar en ataques de Cross-Site Scripting (XSS). Verifique también que ApostropheCMS esté actualizado a la versión 4.29.0 o superior.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-40186 is a cross-site scripting (XSS) vulnerability affecting ApostropheCMS versions before 4.28.0, stemming from a bypass in the sanitize-html package. It allows attackers to inject malicious scripts.
You are affected if you are using ApostropheCMS versions prior to 4.28.0, as it relies on a vulnerable version of sanitize-html.
Upgrade ApostropheCMS to version 4.28.0 or sanitize-html to version 2.17.2 or later. Consider input validation and output encoding as a temporary mitigation.
There is no confirmed active exploitation at this time, but the vulnerability's nature makes it likely that exploitation attempts will occur.
Refer to the ApostropheCMS security advisories on their official website for the most up-to-date information and guidance.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。