216.73.216.133

CVE-2026-44990

· Published 12/06/2026 23:16 · Modified 12/06/2026 21:16 · Author: The MITRE Corporation

Labels: CVE-2026-44990 2026-06-12CVE-2026-44990CWE-79[email protected]

Essential information

Published
12/06/2026 23:16
Modified
12/06/2026 21:16
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
9.3 CRITICAL (v3.1)
CISA KEV
No
CWE
CWE-79
EPSS (First)
P20.2% ?EPSS percentile: rank of this vulnerability versus all others. Higher percentile = more likely to be exploited. Learn more (score 0.00064)
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CVSS metrics

Description

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
apostrophe / sanitize-html cpe:2.3:a:apostrophe:sanitize-html:<2.17.4:*:*:*:*:*:*:*

References