{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-44990", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-08T16:23:33.265Z", "datePublished": "2026-06-12T20:39:47.065Z", "dateUpdated": "2026-06-15T13:04:56.814Z"}, "containers": {"cna": {"title": "Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643"}], "affected": [{"vendor": "apostrophecms", "product": "sanitize-html", "versions": [{"version": "< 2.17.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-12T20:39:47.065Z"}, "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue."}], "source": {"advisory": "GHSA-rpr9-rxv7-x643", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-15T13:04:32.468259Z", "id": "CVE-2026-44990", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T13:04:56.814Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-44990", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-15T13:04:32.468259Z"}}}], "references": [{"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T13:04:52.492Z"}}], "cna": {"title": "Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`", "source": {"advisory": "GHSA-rpr9-rxv7-x643", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "apostrophecms", "product": "sanitize-html", "versions": [{"status": "affected", "version": "< 2.17.4"}]}], "references": [{"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643", "name": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-12T20:39:47.065Z"}}}, "cveMetadata": {"cveId": "CVE-2026-44990", "state": "PUBLISHED", "dateUpdated": "2026-06-15T13:04:56.814Z", "dateReserved": "2026-05-08T16:23:33.265Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-12T20:39:47.065Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue."}], "id": "CVE-2026-44990", "lastModified": "2026-06-15T20:54:05.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-06-12T21:16:22.447", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "sanitize-html: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass", "id": "2488565", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488565"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.", "A flaw was found in the `sanitize-html` library. Under its default configuration, an attacker can embed malicious content within a disallowed `xmp` element. This vulnerability allows the attacker to bypass the HTML sanitization process, leading to stored Cross-Site Scripting (XSS). Successful exploitation can result in arbitrary code execution or information disclosure when a user views the affected content."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-44990", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/console-mce-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/console-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "opentelemetry-collector", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "opentelemetry-collector-contrib", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-ui-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-console-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/dashboard-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/kubevirt-console-plugin-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel9", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "nodejs-sanitize-html", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite/iop-advisor-frontend-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite/iop-host-inventory-frontend-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite/iop-vulnerability-frontend-rhel9", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-06-12T20:39:47Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-44990\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-44990\nhttps://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643"], "statement": "This is an Important flaw. The `sanitize-html` library, used in Red Hat products, is susceptible to a stored Cross-Site Scripting (XSS) bypass. Malicious content within a disallowed `xmp` element can be rendered as live HTML or JavaScript due to a sanitizer bypass in the default configuration. This can lead to arbitrary code execution or information disclosure when affected content is viewed.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.17.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "sanitize-html", "source": "cna", "vendor": "apostrophecms"}, "product": "sanitize-html", "vendor": "apostrophecms"}], "created": "2026-06-12T23:00:08.415555+00:00", "updated": "2026-06-12T23:00:08.889613+00:00", "vendors": ["apostrophecms", "apostrophecms$PRODUCT$sanitize-html"]}