CVE-2026-40186 — Non-Default Configurations Where Option Or Textarea Are Incl Cross-Site Scripting (XSS)
Image via images.unsplash.com
CVE-2026-40186 — ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and op
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40186 | vulnerability | CVE-2026-40186 |
| CWE-79 | weakness | CWE-79 |
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 16, 2026 at 00:17 UTC |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Related Posts
ArgoCD Image Updater Flaw Bypasses Namespace Boundaries
CVE-2026-6388 — A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in...
CVE-2026-40500 — The Admin Panel'S 'Add Module From URL' Feature That Server-Side Request Forgery
CVE-2026-40500 — ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows...
Composer Command Injection: Malicious Repositories are a New Vector
CVE-2026-40261 — Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase()...