CVE-2026-44990
CRITICAL 9.3ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.
Severe if exploited (CVSS 9.3), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.4%chance of exploitation in 30 days · 29th percentile
Impact if exploited
9.3CVSS 3.1 · CRITICAL
- ConfidentialityHigh
- IntegrityHigh
- AvailabilityNone
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ⚠User interaction: A user must take an action (click / open a file)
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Vendors Apostrophecms Red Hat
Products Sanitize Html Multicluster Engine For Kubernetes Red Hat Advanced Cluster Management For Kubernetes 2 Red Hat Hardened Images Red Hat Openshift Ai (Rhoai) Red Hat Openshift Container Platform 4 Red Hat Openshift Dev Spaces Red Hat Openshift Virtualization 4
Weakness (CWE)
- CWE-79: Cross-site scripting (XSS)
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N