CVE-2021-26540
Description
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\example.com".
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
sanitize-html before 2.3.2 incorrectly validates iframe hostnames with allowIframeRelativeUrls enabled, allowing bypass via "/\\example.com" src values.
Vulnerability
Overview
The vulnerability resides in the sanitize-html library (versions before 2.3.2) where the allowedIframeHostnames option is not properly validated when allowIframeRelativeUrls is set to true. The library incorrectly handles src values that begin with a slash followed by a backslash (e.g., /\\example.com), allowing an attacker to circumvent the hostname whitelist [2][3].
Exploitation
An attacker can supply a crafted HTML snippet containing an iframe element with a src attribute like /\\attacker.com. The sanitizer, under the misconfigured options, treats this as a relative URL and does not enforce the hostname check. This requires the application to have enabled both allowIframeRelativeUrls and allowedIframeHostnames, but no other authentication or network position is needed [3][4].
Impact
Successful exploitation allows the injection of iframes from any arbitrary host, bypassing the intended restrictions. This could lead to cross-site scripting (XSS) or data exfiltration if the iframe loads malicious content [4].
Mitigation
The vulnerability was fixed in sanitize-html version 2.3.2 [2]. Users are strongly advised to update to this or a later version. No workarounds have been publicly recommended [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sanitize-htmlnpm | < 2.3.2 | 2.3.2 |
Affected products
2- Apostrophe Technologies/sanitize-htmldescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-mjxr-4v3x-q3m4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-26540ghsaADVISORY
- advisory.checkmarx.net/advisory/CX-2021-4309ghsax_refsource_MISCWEB
- github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/apostrophecms/sanitize-html/pull/460ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.