CVE-2026-44990
Cross-Site Scripting (XSS) vulnerability in sanitize-html (npm)
What is CVE-2026-44990 About?
This vulnerability in `sanitize-html` allows attacker-controlled content within a disallowed `xmp` element to bypass sanitization and become live HTML/JavaScript. This leads to stored Cross-Site Scripting (XSS), enabling arbitrary JavaScript execution by a remote attacker and is exploitable under default configurations.
Affected Software
Technical Details
The sanitize-html library, specifically versions up to 2.17.3, is vulnerable to a bypass in its disallowedTagsMode: 'discard' configuration. The xmp tag is not treated as a non-text tag in the default nonTextTags list, meaning its contents are not entirely dropped. When htmlparser2 parses <xmp> as a raw-text element, any markup inside xmp is treated as text. However, in the ontext handler, the content of textarea and xmp tags is appended directly to the output without escaping. This allows an attacker to embed malicious <script> tags or event handlers within an <xmp> block, which will be parsed as text during initial sanitization but then re-rendered as live HTML/JavaScript when the sanitized output is inserted into the DOM, leading to stored XSS.
What is the Impact of CVE-2026-44990?
Successful exploitation may allow attackers to execute arbitrary JavaScript in a victim's browser, enabling session hijacking, defacement, unauthorized actions, and data theft.
What is the Exploitability of CVE-2026-44990?
Exploitation requires an attacker to submit HTML content to an application using sanitize-html with its default configuration, where the sanitized output is subsequently rendered as trusted HTML in a browser. This is a remote vulnerability and does not require authentication to the target application if content submission is public, otherwise, authentication would be a prerequisite for content submission. The complexity is low to medium, as it involves crafting a specific HTML payload (e.g., <xmp><script>alert(1)</script></xmp>). No special privileges are required on the victim's end, only that they view the compromised content. The primary risk factor is the widespread use of sanitize-html with default settings and rendering user-supplied content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-44990?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2026-44990?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2022-29007 , CVE-2021-23393 , CVE-2020-7790 , CVE-2020-15106
