{"url":"http://public2.vulnerablecode.io/api/packages/14477?format=json","purl":"pkg:npm/sanitize-html@1.11.4","type":"npm","namespace":"","name":"sanitize-html","version":"1.11.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.12.1","latest_non_vulnerable_version":"2.17.4","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218598?format=json","vulnerability_id":"VCID-7j67-9wrp-ebb2","summary":"Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the \"allowedIframeHostnames\" option.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26539.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26539.json"},{"reference_url":"https://advisory.checkmarx.net/advisory/CX-2021-4308","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://advisory.checkmarx.net/advisory/CX-2021-4308"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26539","reference_id":"","reference_type":"","scores":[{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.5265","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26539"},{"reference_url":"https://github.com/apostrophecms/sanitize-html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/458","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/pull/458"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26539","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26539"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932362","reference_id":"1932362","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932362"},{"reference_url":"https://github.com/advisories/GHSA-rjqq-98f6-6j3r","reference_id":"GHSA-rjqq-98f6-6j3r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rjqq-98f6-6j3r"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:5633","reference_id":"RHSA-2020:5633","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:5633"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2438","reference_id":"RHSA-2021:2438","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2438"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3759","reference_id":"RHSA-2021:3759","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3759"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/383646?format=json","purl":"pkg:npm/sanitize-html@2.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92y7-jps8-3ydr"},{"vulnerability":"VCID-jry7-364q-3bgh"},{"vulnerability":"VCID-rdn1-gbys-xyh2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@2.3.1"}],"aliases":["CVE-2021-26539","GHSA-rjqq-98f6-6j3r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7j67-9wrp-ebb2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48931?format=json","vulnerability_id":"VCID-92y7-jps8-3ydr","summary":"Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21501.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21501.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21501","reference_id":"","reference_type":"","scores":[{"value":"0.01807","scoring_system":"epss","scoring_elements":"0.83227","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21501"},{"reference_url":"https://github.com/apostrophecms/sanitize-html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064808","reference_id":"1064808","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064808"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266111","reference_id":"2266111","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266111"},{"reference_url":"https://github.com/apostrophecms/apostrophe/discussions/4436","reference_id":"4436","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://github.com/apostrophecms/apostrophe/discussions/4436"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/","reference_id":"4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/650","reference_id":"650","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/pull/650"},{"reference_url":"https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf","reference_id":"8b4d061abe6ee1b2e10c7242987674cf","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4","reference_id":"c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21501","reference_id":"CVE-2024-21501","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21501"},{"reference_url":"https://github.com/advisories/GHSA-rm97-x556-q36h","reference_id":"GHSA-rm97-x556-q36h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rm97-x556-q36h"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/","reference_id":"P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1770","reference_id":"RHSA-2024:1770","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1770"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557","reference_id":"SNYK-JAVA-ORGWEBJARSNPM-6276557","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334","reference_id":"SNYK-JS-SANITIZEHTML-6256334","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29293?format=json","purl":"pkg:npm/sanitize-html@2.12.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@2.12.1"}],"aliases":["CVE-2024-21501","GHSA-rm97-x556-q36h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-92y7-jps8-3ydr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/211273?format=json","vulnerability_id":"VCID-jry7-364q-3bgh","summary":"Sanitize-html Vulnerable To REDoS Attacks","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25887.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25887.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25887","reference_id":"","reference_type":"","scores":[{"value":"0.00097","scoring_system":"epss","scoring_elements":"0.26744","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25887"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/557","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/pull/557"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019219","reference_id":"1019219","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019219"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2123376","reference_id":"2123376","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2123376"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25887","reference_id":"CVE-2022-25887","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25887"},{"reference_url":"https://github.com/advisories/GHSA-cgfm-xwp7-2cvr","reference_id":"GHSA-cgfm-xwp7-2cvr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cgfm-xwp7-2cvr"},{"reference_url":"https://usn.ubuntu.com/7464-1/","reference_id":"USN-7464-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7464-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26065?format=json","purl":"pkg:npm/sanitize-html@2.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92y7-jps8-3ydr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@2.7.1"}],"aliases":["CVE-2022-25887","GHSA-cgfm-xwp7-2cvr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jry7-364q-3bgh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218599?format=json","vulnerability_id":"VCID-rdn1-gbys-xyh2","summary":"Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the \"allowedIframeHostnames\" option when the \"allowIframeRelativeUrls\" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with \"/\\\\example.com\".","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26540.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26540.json"},{"reference_url":"https://advisory.checkmarx.net/advisory/CX-2021-4309","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://advisory.checkmarx.net/advisory/CX-2021-4309"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26540","reference_id":"","reference_type":"","scores":[{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.5265","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26540"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/460","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/pull/460"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26540","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26540"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932323","reference_id":"1932323","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932323"},{"reference_url":"https://github.com/advisories/GHSA-mjxr-4v3x-q3m4","reference_id":"GHSA-mjxr-4v3x-q3m4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mjxr-4v3x-q3m4"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2438","reference_id":"RHSA-2021:2438","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2438"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3759","reference_id":"RHSA-2021:3759","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3759"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/383728?format=json","purl":"pkg:npm/sanitize-html@2.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92y7-jps8-3ydr"},{"vulnerability":"VCID-jry7-364q-3bgh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@2.3.2"}],"aliases":["CVE-2021-26540","GHSA-mjxr-4v3x-q3m4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rdn1-gbys-xyh2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/161107?format=json","vulnerability_id":"VCID-sgfh-qpmp-pqa4","summary":"`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-25225.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-25225.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-25225","reference_id":"","reference_type":"","scores":[{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23573","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-25225"},{"reference_url":"https://github.com/apostrophecms/sanitize-html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25225","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25225"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/156","reference_id":"156","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/pull/156"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2393838","reference_id":"2393838","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2393838"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/issues/293","reference_id":"293","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/issues/293"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3","reference_id":"712cb6895825c8bb6ede71a16b42bade42abcaf3","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3"},{"reference_url":"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225","reference_id":"CVE-2019-25225","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225"},{"reference_url":"https://github.com/advisories/GHSA-qhxp-v273-g94h","reference_id":"GHSA-qhxp-v273-g94h","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qhxp-v273-g94h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376776?format=json","purl":"pkg:npm/sanitize-html@2.0.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7j67-9wrp-ebb2"},{"vulnerability":"VCID-92y7-jps8-3ydr"},{"vulnerability":"VCID-jry7-364q-3bgh"},{"vulnerability":"VCID-rdn1-gbys-xyh2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@2.0.0-beta"}],"aliases":["CVE-2019-25225","GHSA-qhxp-v273-g94h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sgfh-qpmp-pqa4"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/202546?format=json","vulnerability_id":"VCID-wkp2-3qm6-euah","summary":"Cross-Site Scripting in sanitize-html","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16016","reference_id":"","reference_type":"","scores":[{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.52387","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16016"},{"reference_url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403"},{"reference_url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))"},{"reference_url":"https://github.com/punkave/sanitize-html/issues/100","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/issues/100"},{"reference_url":"https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag"},{"reference_url":"https://www.npmjs.com/advisories/154","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/154"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16016","reference_id":"CVE-2017-16016","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16016"},{"reference_url":"https://github.com/advisories/GHSA-xc6g-ggrc-qq4r","reference_id":"GHSA-xc6g-ggrc-qq4r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xc6g-ggrc-qq4r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/390291?format=json","purl":"pkg:npm/sanitize-html@1.11.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7j67-9wrp-ebb2"},{"vulnerability":"VCID-92y7-jps8-3ydr"},{"vulnerability":"VCID-jry7-364q-3bgh"},{"vulnerability":"VCID-rdn1-gbys-xyh2"},{"vulnerability":"VCID-sgfh-qpmp-pqa4"},{"vulnerability":"VCID-wsu9-fzu9-s7b3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.11.2"},{"url":"http://public2.vulnerablecode.io/api/packages/14477?format=json","purl":"pkg:npm/sanitize-html@1.11.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7j67-9wrp-ebb2"},{"vulnerability":"VCID-92y7-jps8-3ydr"},{"vulnerability":"VCID-jry7-364q-3bgh"},{"vulnerability":"VCID-rdn1-gbys-xyh2"},{"vulnerability":"VCID-sgfh-qpmp-pqa4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.11.4"}],"aliases":["CVE-2017-16016","GHSA-xc6g-ggrc-qq4r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wkp2-3qm6-euah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361728?format=json","vulnerability_id":"VCID-wsu9-fzu9-s7b3","summary":"XSS Vulnerability\nsanitize-html is vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one `nonTextTags`, the result is a potential XSS vulnerability.","references":[{"reference_url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403"},{"reference_url":"https://github.com/punkave/sanitize-html/issues/100","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/punkave/sanitize-html/issues/100"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/14477?format=json","purl":"pkg:npm/sanitize-html@1.11.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7j67-9wrp-ebb2"},{"vulnerability":"VCID-92y7-jps8-3ydr"},{"vulnerability":"VCID-jry7-364q-3bgh"},{"vulnerability":"VCID-rdn1-gbys-xyh2"},{"vulnerability":"VCID-sgfh-qpmp-pqa4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.11.4"}],"aliases":["GMS-2016-17"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wsu9-fzu9-s7b3"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.11.4"}