CVE-2026-40186: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements

April 16, 2026

Commit 49d0bb7 introduced a regression in sanitize-html that bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). Entity-encoded HTML inside these elements passes through the sanitizer as decoded, unescaped HTML, allowing injection of arbitrary tags including XSS payloads. This affects any application using sanitize-html that includes option or textarea in its allowedTags configuration.

References

github.com/advisories/GHSA-9mrh-v2v3-xpfm
github.com/apostrophecms/apostrophe
github.com/apostrophecms/apostrophe/commit/7ca2d16237c72718ef7e5c7ae0458e6027ac4f64
github.com/apostrophecms/apostrophe/security/advisories/GHSA-9mrh-v2v3-xpfm
nvd.nist.gov/vuln/detail/CVE-2026-40186

Code Behaviors & Features

Detect and mitigate CVE-2026-40186 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →