{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sanitization/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["sanitize-html (\u003c= 2.17.3)"],"_cs_severities":["critical"],"_cs_tags":["xss","sanitize-html","javascript","sanitization"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe \u003ccode\u003esanitize-html\u003c/code\u003e library, a widely used HTML sanitizer for Node.js, contains a critical cross-site scripting (XSS) vulnerability (CVE-2026-44990) affecting version 2.17.3 and earlier. The vulnerability arises from the omission of the \u003ccode\u003exmp\u003c/code\u003e tag from the default \u003ccode\u003enonTextTags\u003c/code\u003e list in the library\u0026rsquo;s configuration. This oversight, combined with the special handling of \u003ccode\u003exmp\u003c/code\u003e content in the \u003ccode\u003eontext\u003c/code\u003e handler, allows attacker-controlled content within a disallowed \u003ccode\u003exmp\u003c/code\u003e element to be rendered as live HTML or JavaScript. The issue was identified and disclosed on May 14, 2026. Exploitation can lead to arbitrary JavaScript execution in a user\u0026rsquo;s browser, impacting applications that rely on \u003ccode\u003esanitize-html\u003c/code\u003e for input sanitization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts malicious HTML containing JavaScript code wrapped within an \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e tag (e.g., \u003ccode\u003e\u0026lt;xmp\u0026gt;\u0026lt;script\u0026gt;alert(1)\u0026lt;/script\u0026gt;\u0026lt;/xmp\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe application utilizes \u003ccode\u003esanitize-html\u003c/code\u003e version 2.17.3 or earlier with default settings to sanitize the malicious HTML.\u003c/li\u003e\n\u003cli\u003eDue to the omission of \u003ccode\u003exmp\u003c/code\u003e from the \u003ccode\u003enonTextTags\u003c/code\u003e list, \u003ccode\u003esanitize-html\u003c/code\u003e does not treat the \u003ccode\u003exmp\u003c/code\u003e tag as a container to be completely discarded.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eontext\u003c/code\u003e handler in \u003ccode\u003esanitize-html\u003c/code\u003e appends the content within the \u003ccode\u003exmp\u003c/code\u003e tag directly to the output without proper escaping.\u003c/li\u003e\n\u003cli\u003eThe sanitized output, still containing the unescaped JavaScript code from within the \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e tag, is stored in the application\u0026rsquo;s database or displayed to other users.\u003c/li\u003e\n\u003cli\u003eWhen a user views the stored or displayed content, the browser renders the unescaped JavaScript code within the now-live HTML structure.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript code executes in the user\u0026rsquo;s browser, potentially stealing sensitive information, performing actions on behalf of the user, or defacing the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis XSS vulnerability allows a remote attacker to inject arbitrary JavaScript into a user\u0026rsquo;s browser. Successful exploitation can lead to session hijacking, sensitive data theft, account takeover, and defacement of the application. Applications that rely on \u003ccode\u003esanitize-html\u003c/code\u003e for input sanitization and render the output as trusted HTML are vulnerable. The severity is rated as critical due to the ease of exploitation and potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003esanitize-html\u003c/code\u003e version 2.18.0 or later, where this vulnerability is resolved.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, configure \u003ccode\u003esanitize-html\u003c/code\u003e to explicitly disallow the \u003ccode\u003exmp\u003c/code\u003e tag or to escape its content.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect sanitize-html XSS via XMP Tag Bypass\u003c/code\u003e to identify exploitation attempts (process_creation).\u003c/li\u003e\n\u003cli\u003eReview and update any existing sanitization configurations to ensure that potentially dangerous tags are properly handled.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T18:27:07Z","date_published":"2026-05-14T18:27:07Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sanitize-html-xss/","summary":"sanitize-html version 2.17.3 and earlier is vulnerable to cross-site scripting (XSS) due to the improper handling of the `xmp` tag, allowing attackers to inject arbitrary HTML and JavaScript code.","title":"sanitize-html XSS Vulnerability via XMP Tag Bypass (CVE-2026-44990)","url":"https://feed.craftedsignal.io/briefs/2026-05-sanitize-html-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Sanitization","version":"https://jsonfeed.org/version/1.1"}