Thanks for following up!!
UNSOLVED Bootbox 5.5.2 Cross-Site Scripting
I don't know what Bootbox is for, but evidently NodeBB 1.18.4 depends on Bootbox 5.5.2, which has a cross-site scripting vulnerability according to npm audit.
Bootbox is used to show modals and alerts. You can test it by running
bootbox.alert('hello')in your browser console.
The vulnerability mentioned comes from bootbox allowing any html to be passed in. For example
For the full discussion you can check https://github.com/makeusabrew/bootbox/issues/661