Bug 2488565 (CVE-2026-44990) - CVE-2026-44990 sanitize-html: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass
Summary: CVE-2026-44990 sanitize-html: `sanitize-html`: Stored Cross-Site Scripting vi...
Keywords:
Status: NEW
Alias: CVE-2026-44990
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2492685 2492686 2492687 2492688 2492689 2492690 2492691 2492692 2492694 2492695 2492696 2492697 2492682 2492683 2492684 2492693
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-12 21:02 UTC by OSIDB Bzimport
Modified: 2026-07-02 08:33 UTC (History)
36 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-12 21:02:47 UTC
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.


Note You need to log in before you can comment on or make changes to this bug.