Description
HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its contents, unless the shadowrootmode attribute is set to open or closed. This issue has been patched in versions 9.0.892 and 9.1.893-beta.
Published: 2026-02-04
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Apply patch
AI Analysis

Impact

HtmlSanitizer is a .NET library designed to sanitize HTML fragments. The vulnerability allows an attacker to inject malicious content inside a template tag that is not sanitized when the tag is permitted. Because the template tag can contain executable markup that becomes visible only when the shadowrootmode attribute is set to open or closed, an attacker can trigger a cross‑site scripting attack. This flaw is rooted in improper input validation (CWE‑79) and improper encoding (CWE‑116).

Affected Systems

The flaw affects the HtmlSanitizer project from mganss. Versions before 9.0.892 and before 9.1.893‑beta are vulnerable. Any .NET application that references the vulnerable NuGet packages or includes the library in its code base is at risk. The vulnerability is present only when the template tag is explicitly enabled and the shadowrootmode attribute is not correctly restricted.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity potential compromise of confidentiality and integrity through client‑side code execution. The EPSS probability is less than 1%, suggesting exploitation is unlikely but still possible in targeted attacks. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector would be a client‑side injection via a malicious web page that includes the library, so it requires the application to process untrusted input. Because the flaw resides in content rendering logic, an attacker must have a way to supply material that is parsed by HtmlSanitizer.

Generated by OpenCVE AI on April 17, 2026 at 23:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HtmlSanitizer to version 9.0.892 or later from the official NuGet repository.
  • If using the 9.1.893‑beta release, upgrade to the latest stable build (9.1.893‑beta or newer).
  • If an upgrade is not immediately feasible, disable template tag support in the application configuration to prevent the unsanitized content from being processed.

Generated by OpenCVE AI on April 17, 2026 at 23:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j92c-7v7g-gj3f HtmlSanitizer has a bypass via template tag
History

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Htmlsanitizer Project
Htmlsanitizer Project htmlsanitizer
Weaknesses CWE-79
CPEs cpe:2.3:a:htmlsanitizer_project:htmlsanitizer:*:*:*:*:*:*:*:*
Vendors & Products Htmlsanitizer Project
Htmlsanitizer Project htmlsanitizer
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 05 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Mganss
Mganss htmlsanitizer
Vendors & Products Mganss
Mganss htmlsanitizer

Wed, 04 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its contents, unless the shadowrootmode attribute is set to open or closed. This issue has been patched in versions 9.0.892 and 9.1.893-beta.
Title HtmlSanitizer has a bypass via template tag
Weaknesses CWE-116
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Htmlsanitizer Project Htmlsanitizer
Mganss Htmlsanitizer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T18:24:09.842Z

Reserved: 2026-02-02T19:59:47.375Z

Link: CVE-2026-25543

cve-icon Vulnrichment

Updated: 2026-02-05T18:24:05.969Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T22:16:00.523

Modified: 2026-02-24T21:29:57.410

Link: CVE-2026-25543

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses