CVE-2026-44990 - Vulnerability Details

Description

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.

Published: 2026-06-12

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

sanitize-html, the popular HTML sanitizer used by ApostropheCMS, has a configuration flaw that allows attacker‑controlled text inside an 'xmp' element to bypass the default sanitization path. With the disallowedTagsMode set to 'discard', the sanitizer incorrectly treats the raw content of the xmp element as executable HTML or JavaScript, enabling stored XSS. This flaw is classified as CWE‑79 and can cause client‑side code execution, credential theft, session hijacking, and other malicious actions when users view the affected pages.

Affected Systems

The vulnerability affects all releases of sanitize‑html older than 2.17.4 that rely on the default configuration. Applications built on ApostropheCMS that include these earlier versions are at risk until a patched version is deployed.

Risk and Exploitability

The CVSS score of 9.3 marks this bug as critical, though the EPSS score of less than 1% suggests that widespread exploitation is currently unlikely. The flaw is not listed in CISA’s KEV catalog, but it can be exploited via stored XSS in any content that traverses the sanitizer with default settings. Attackers would need to inject malicious payloads into input fields that are subsequently sanitized and displayed back to users, taking advantage of the xmp passthrough.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

apostrophecms

sanitize-html

affected

Version	Status	Constraints
`< 2.17.4`	affected	—

No data.

Vendor Product Confidence Versions

Apostrophecms

Sanitize-html

100%

Version	Status	Scheme	Platform
`[0,2.17.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the sanitize-html library to version 2.17.4 or later, which includes the patch for the xmp passthrough bug.
If an upgrade is not immediately possible, modify the sanitization configuration to set disallowedTagsMode to 'enforce' and explicitly remove or escape the <xmp> tag from input before sanitization.
Apply an additional layer of input validation to strip disallowed tags such as <xmp> from content, and ensure that applications rendering sanitized content do not reintroduce scripting contexts.

Generated by OpenCVE AI on June 12, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-rpr9-rxv7-x643	Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00064.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643

History

Fri, 12 Jun 2026 23:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apostrophecms Apostrophecms sanitize-html
Vendors & Products		Apostrophecms Apostrophecms sanitize-html

Fri, 12 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.
Title		Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
Weaknesses		CWE-79
References		https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643
Metrics		cvssV3_1 `{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Apostrophecms Sanitize-html

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-12T20:39:47.065Z

Updated: 2026-06-12T20:39:47.065Z

Reserved: 2026-05-08T16:23:33.265Z

Link: CVE-2026-44990

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-12T21:16:22.447

Modified: 2026-06-12T21:16:22.447

Link: CVE-2026-44990

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T23:00:08Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object