{"id":"CVE-2021-26539","details":"Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the \"allowedIframeHostnames\" option.","aliases":["GHSA-rjqq-98f6-6j3r"],"modified":"2026-04-11T17:19:29.692700Z","published":"2021-02-08T17:15:13.673Z","references":[{"type":"ADVISORY","url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22"},{"type":"FIX","url":"https://github.com/apostrophecms/sanitize-html/pull/458"},{"type":"EVIDENCE","url":"https://advisory.checkmarx.net/advisory/CX-2021-4308"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apostrophecms/sanitize-html","events":[{"introduced":"0"},{"fixed":"b77e1d9c3875b387589c864c796ce31a75e436a9"}],"database_specific":{"cpe":"cpe:2.3:a:apostrophecms:sanitize-html:*:*:*:*:*:node.js:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"2.3.1"}]}}],"versions":["1.10.1","1.11.0","1.11.1","1.11.4","1.18.2","1.18.3","1.18.4","1.18.5","1.19.0","1.19.1","1.19.2","1.19.3","1.20.0","1.21.0","1.21.1","1.22.0","1.27.4","2.0.0","2.1.0","2.1.1","2.1.2","2.2.0","2.3.0","v1.5.2","v1.7.0","v1.7.1","v1.7.2","v1.8.0","v1.9.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-26539.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}