← All CVEs

CVE-2026-44990

CRITICAL 9.3

Published 2026-06-12 · Last modified 2026-06-30

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.

ELEVATED IMPACT

Severe if exploited (CVSS 9.3), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.4%chance of exploitation in 30 days · 29th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

9.3CVSS 3.1 · CRITICAL

  • ConfidentialityHigh
  • IntegrityHigh
  • AvailabilityNone

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: A user must take an action (click / open a file)
  • Complexity: No special conditions — reliably repeatable

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Apostrophecms Red Hat

Products Sanitize Html Multicluster Engine For Kubernetes Red Hat Advanced Cluster Management For Kubernetes 2 Red Hat Hardened Images Red Hat Openshift Ai (Rhoai) Red Hat Openshift Container Platform 4 Red Hat Openshift Dev Spaces Red Hat Openshift Virtualization 4

Weakness (CWE)

  • CWE-79: Cross-site scripting (XSS)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Sources: NVD · CVE.org · EPSS