CVE-2026-53606 apostrophecms CVE debrief

Who should care

Developers and administrators using ApostropheCMS and the sanitize-html package should be aware of this vulnerability. Specifically, those who have customized the `allowedSchemesAppliedToAttributes` configuration in sanitize-html might be at risk if they have allowed attributes that accept URIs not included in the default gate list.

Technical summary

The sanitize-html package, prior to version 2.17.5, does not properly gate against dangerous URI schemes like `javascript:` and `vbscript:` for all HTML attributes that accept URIs. The package uses `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to determine which attributes to protect. However, the HTML specification defines over 10 attributes that accept URIs, including `action`, `formaction`, `data`, `poster`, `background`, `ping`, `xlink:href`, `dynsrc`, and `lowsrc`, which are not all included in the default protection list. This omission allows `javascript:` URIs to bypass sanitization when developers configure their applications to allow these attributes, potentially leading to XSS attacks.

Defensive priority

MEDIUM

Recommended defensive actions

• Update sanitize-html to version 2.17.5 or later.
• Review and adjust the `allowedSchemesAppliedToAttributes` configuration to ensure it includes all relevant attributes that accept URIs.
• Implement additional security measures to detect and prevent XSS attacks, such as Content Security Policy (CSP) and regular security audits.

Evidence notes

CVE-2026-53606 has a CVSS score of 5.4 and is classified as MEDIUM severity. It was published and modified on June 12, 2026. The vulnerability is related to CWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

Official resources