{"url":"http://public2.vulnerablecode.io/api/packages/96714?format=json","purl":"pkg:deb/debian/node-sanitize-html@0?distro=trixie","type":"deb","namespace":"debian","name":"node-sanitize-html","version":"0","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"2.7.1+~2.6.2-1","latest_non_vulnerable_version":"2.17.0+~2.16.1-1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/204681?format=json","vulnerability_id":"VCID-2nn3-ux99-pfde","summary":"Cross-Site Scripting in sanitize-html","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000237","reference_id":"","reference_type":"","scores":[{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47527","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000237"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/issues/29","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/issues/29"},{"reference_url":"https://github.com/punkave/sanitize-html/issues/29","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/issues/29"},{"reference_url":"https://www.npmjs.com/advisories/135","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/135"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/135.json","reference_id":"135","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/135.json"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000237","reference_id":"CVE-2016-1000237","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000237"},{"reference_url":"https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json","reference_id":"CVE-2016-1000237.JSON","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json"},{"reference_url":"https://github.com/advisories/GHSA-3j7m-hmh3-9jmp","reference_id":"GHSA-3j7m-hmh3-9jmp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3j7m-hmh3-9jmp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96714?format=json","purl":"pkg:deb/debian/node-sanitize-html@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96713?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.8.0%2B~2.6.2-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92y7-jps8-3ydr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.8.0%252B~2.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96716?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.14.0%2B~2.13.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.14.0%252B~2.13.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96715?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.17.0%2B~2.16.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.17.0%252B~2.16.1-1%3Fdistro=trixie"}],"aliases":["CVE-2016-1000237","GHSA-3j7m-hmh3-9jmp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2nn3-ux99-pfde"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218598?format=json","vulnerability_id":"VCID-7j67-9wrp-ebb2","summary":"Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the \"allowedIframeHostnames\" option.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26539.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26539.json"},{"reference_url":"https://advisory.checkmarx.net/advisory/CX-2021-4308","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://advisory.checkmarx.net/advisory/CX-2021-4308"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26539","reference_id":"","reference_type":"","scores":[{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.5265","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26539"},{"reference_url":"https://github.com/apostrophecms/sanitize-html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/458","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/pull/458"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26539","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26539"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932362","reference_id":"1932362","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932362"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:5633","reference_id":"RHSA-2020:5633","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:5633"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2438","reference_id":"RHSA-2021:2438","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2438"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3759","reference_id":"RHSA-2021:3759","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3759"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96714?format=json","purl":"pkg:deb/debian/node-sanitize-html@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96713?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.8.0%2B~2.6.2-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92y7-jps8-3ydr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.8.0%252B~2.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96716?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.14.0%2B~2.13.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.14.0%252B~2.13.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96715?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.17.0%2B~2.16.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.17.0%252B~2.16.1-1%3Fdistro=trixie"}],"aliases":["CVE-2021-26539","GHSA-rjqq-98f6-6j3r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7j67-9wrp-ebb2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/128265?format=json","vulnerability_id":"VCID-a915-zeme-k7au","summary":"'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly validate the hyperreference (`href`) attribute in anchor tags (`<a>`), allowing bypasses that contain different casings, whitespace characters, or hexadecimal encodings.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-125128","reference_id":"","reference_type":"","scores":[{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23573","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-125128"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/issues/1","reference_id":"1","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T13:43:13Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/issues/1"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/423b90e06e1e85245eccedaabeb3a82840c6cd86","reference_id":"423b90e06e1e85245eccedaabeb3a82840c6cd86","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T13:43:13Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/commit/423b90e06e1e85245eccedaabeb3a82840c6cd86"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/889d4ec968e175f1905b2eb9d33f1fa89217cb02","reference_id":"889d4ec968e175f1905b2eb9d33f1fa89217cb02","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T13:43:13Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/commit/889d4ec968e175f1905b2eb9d33f1fa89217cb02"},{"reference_url":"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2014/CVE-2014-125128","reference_id":"CVE-2014-125128","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T13:43:13Z/"}],"url":"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2014/CVE-2014-125128"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96714?format=json","purl":"pkg:deb/debian/node-sanitize-html@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96713?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.8.0%2B~2.6.2-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92y7-jps8-3ydr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.8.0%252B~2.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96716?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.14.0%2B~2.13.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.14.0%252B~2.13.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96715?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.17.0%2B~2.16.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.17.0%252B~2.16.1-1%3Fdistro=trixie"}],"aliases":["CVE-2014-125128"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a915-zeme-k7au"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218599?format=json","vulnerability_id":"VCID-rdn1-gbys-xyh2","summary":"Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the \"allowedIframeHostnames\" option when the \"allowIframeRelativeUrls\" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with \"/\\\\example.com\".","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26540.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26540.json"},{"reference_url":"https://advisory.checkmarx.net/advisory/CX-2021-4309","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://advisory.checkmarx.net/advisory/CX-2021-4309"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26540","reference_id":"","reference_type":"","scores":[{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.5265","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26540"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/460","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/pull/460"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26540","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26540"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932323","reference_id":"1932323","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932323"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2438","reference_id":"RHSA-2021:2438","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2438"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3759","reference_id":"RHSA-2021:3759","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3759"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96714?format=json","purl":"pkg:deb/debian/node-sanitize-html@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96713?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.8.0%2B~2.6.2-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92y7-jps8-3ydr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.8.0%252B~2.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96716?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.14.0%2B~2.13.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.14.0%252B~2.13.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96715?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.17.0%2B~2.16.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.17.0%252B~2.16.1-1%3Fdistro=trixie"}],"aliases":["CVE-2021-26540","GHSA-mjxr-4v3x-q3m4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rdn1-gbys-xyh2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/161107?format=json","vulnerability_id":"VCID-sgfh-qpmp-pqa4","summary":"`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-25225.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-25225.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-25225","reference_id":"","reference_type":"","scores":[{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23573","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-25225"},{"reference_url":"https://github.com/apostrophecms/sanitize-html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25225","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25225"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/156","reference_id":"156","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/pull/156"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2393838","reference_id":"2393838","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2393838"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/issues/293","reference_id":"293","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/issues/293"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3","reference_id":"712cb6895825c8bb6ede71a16b42bade42abcaf3","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3"},{"reference_url":"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225","reference_id":"CVE-2019-25225","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96714?format=json","purl":"pkg:deb/debian/node-sanitize-html@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96713?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.8.0%2B~2.6.2-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92y7-jps8-3ydr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.8.0%252B~2.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96716?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.14.0%2B~2.13.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.14.0%252B~2.13.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96715?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.17.0%2B~2.16.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.17.0%252B~2.16.1-1%3Fdistro=trixie"}],"aliases":["CVE-2019-25225","GHSA-qhxp-v273-g94h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sgfh-qpmp-pqa4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/202546?format=json","vulnerability_id":"VCID-wkp2-3qm6-euah","summary":"Cross-Site Scripting in sanitize-html","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16016","reference_id":"","reference_type":"","scores":[{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.52387","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16016"},{"reference_url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403"},{"reference_url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))"},{"reference_url":"https://github.com/punkave/sanitize-html/issues/100","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/issues/100"},{"reference_url":"https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag"},{"reference_url":"https://www.npmjs.com/advisories/154","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/154"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16016","reference_id":"CVE-2017-16016","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16016"},{"reference_url":"https://github.com/advisories/GHSA-xc6g-ggrc-qq4r","reference_id":"GHSA-xc6g-ggrc-qq4r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xc6g-ggrc-qq4r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96714?format=json","purl":"pkg:deb/debian/node-sanitize-html@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96713?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.8.0%2B~2.6.2-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92y7-jps8-3ydr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.8.0%252B~2.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96716?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.14.0%2B~2.13.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.14.0%252B~2.13.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96715?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.17.0%2B~2.16.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.17.0%252B~2.16.1-1%3Fdistro=trixie"}],"aliases":["CVE-2017-16016","GHSA-xc6g-ggrc-qq4r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wkp2-3qm6-euah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/202540?format=json","vulnerability_id":"VCID-yxgp-4afk-wyen","summary":"Cross-Site Scripting in sanitize-html","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16017","reference_id":"","reference_type":"","scores":[{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50215","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16017"},{"reference_url":"https://github.com/punkave/sanitize-html/issues/19","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/issues/19"},{"reference_url":"https://github.com/punkave/sanitize-html/pull/20","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/pull/20"},{"reference_url":"https://www.npmjs.com/advisories/155","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/155"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16017","reference_id":"CVE-2017-16017","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16017"},{"reference_url":"https://github.com/advisories/GHSA-wg96-3933-j2w5","reference_id":"GHSA-wg96-3933-j2w5","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wg96-3933-j2w5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96714?format=json","purl":"pkg:deb/debian/node-sanitize-html@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96713?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.8.0%2B~2.6.2-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92y7-jps8-3ydr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.8.0%252B~2.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96716?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.14.0%2B~2.13.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.14.0%252B~2.13.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96715?format=json","purl":"pkg:deb/debian/node-sanitize-html@2.17.0%2B~2.16.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@2.17.0%252B~2.16.1-1%3Fdistro=trixie"}],"aliases":["CVE-2017-16017","GHSA-wg96-3933-j2w5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yxgp-4afk-wyen"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-sanitize-html@0%3Fdistro=trixie"}