{"api_version":"1","generated_at":"2026-04-17T15:12:31+00:00","cve":"CVE-2021-26540","urls":{"html":"https://cve.report/CVE-2021-26540","api":"https://cve.report/api/cve/CVE-2021-26540.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-26540","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-26540"},"summary":{"title":"CVE-2021-26540","description":"Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the \"allowedIframeHostnames\" option when the \"allowIframeRelativeUrls\" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with \"/\\\\example.com\".","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-02-08 17:15:00","updated_at":"2021-04-01 15:02:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://github.com/apostrophecms/sanitize-html/pull/460","name":"https://github.com/apostrophecms/sanitize-html/pull/460","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"new and interesting iframe validation exploits by boutell · Pull Request #460 · apostrophecms/sanitize-html · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26","name":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26","refsource":"MISC","tags":["Release Notes","Third Party Advisory"],"title":"sanitize-html/CHANGELOG.md at main · apostrophecms/sanitize-html · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://advisory.checkmarx.net/advisory/CX-2021-4309","name":"https://advisory.checkmarx.net/advisory/CX-2021-4309","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-26540","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26540","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"26540","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apostrophecms","cpe5":"sanitize-html","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"26540","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apostrophecms","cpe5":"sanitize-html","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-26540","qid":"982673","title":"Nodejs (npm) Security Update for sanitize-html (GHSA-mjxr-4v3x-q3m4)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-26540","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the \"allowedIframeHostnames\" option when the \"allowIframeRelativeUrls\" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with \"/\\\\example.com\"."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26","refsource":"MISC","name":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26"},{"url":"https://github.com/apostrophecms/sanitize-html/pull/460","refsource":"MISC","name":"https://github.com/apostrophecms/sanitize-html/pull/460"},{"refsource":"MISC","name":"https://advisory.checkmarx.net/advisory/CX-2021-4309","url":"https://advisory.checkmarx.net/advisory/CX-2021-4309"}]}},"nvd":{"publishedDate":"2021-02-08 17:15:00","lastModifiedDate":"2021-04-01 15:02:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apostrophecms:sanitize-html:*:*:*:*:*:node.js:*:*","versionEndExcluding":"2.3.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"26540","Ordinal":"201592","Title":"CVE-2021-26540","CVE":"CVE-2021-26540","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"26540","Ordinal":"1","NoteData":"Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the \"allowedIframeHostnames\" option when the \"allowIframeRelativeUrls\" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with \"/\\\\example.com\".","Type":"Description","Title":null},{"CveYear":"2021","CveId":"26540","Ordinal":"2","NoteData":"2021-02-08","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"26540","Ordinal":"3","NoteData":"2021-03-25","Type":"Other","Title":"Modified"}]}}}