CVE-2026-53606
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
ApostropheCMS, an open-source Node.js content management system, has a vulnerability in sanitize-html that allows dangerous URI schemes like 'javascript:' to pass through in HTML attributes. Versions prior to 2.17.5 do not block these schemes, leading to potential XSS attacks.
Risk Assessment
Organizations using vulnerable versions may be exposed to XSS attacks, which could result in data theft or session hijacking.
Recommendation
It is recommended to update sanitize-html to version 2.17.5 or later to block dangerous URI schemes.
Original NVD description (English source)
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`, `data`, `poster`, `background`, `ping`, `xlink:href`, `dynsrc`, `lowsrc`), but none of these are included in the default gate list. When a developer allows any of these attributes in their configuration, `javascript:` URIs pass through completely unmodified, enabling XSS. Version 2.17.5 patches the issue.

