Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2026-44990— Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

CVSS 9.3 · Critical EPSS 0.32% · P24

Affected Version Matrix 1

VendorProductVersion RangeStatus
apostrophecmssanitize-html< 2.17.4affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-44990

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
Source: NVD (National Vulnerability Database)
Vulnerability Description
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apostrophecms sanitize-html 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apostrophecms sanitize-html是Apostrophecms公司开源的一个HTML清理库。 Apostrophecms sanitize-html 2.17.4之前版本存在跨站脚本漏洞,该漏洞源于在默认配置的 disallowedTagsMode: 'discard' 路径下,攻击者可以利用禁止的 `xmp` 元素内的内容转换为HTML或JavaScript,导致存储型跨站脚本攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
apostrophecmssanitize-html < 2.17.4 -

II. Public POCs for CVE-2026-44990

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 6512 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-44990

登录查看更多情报信息。

Vendor Advisories for CVE-2026-44990 (1)

Same Patch Batch · apostrophecms · 2026-06-12 · 10 CVEs total

CVE-2026-536099.1 CRITICALApostrophe has Server-Side Prototype Pollution in apos.util.set via patch operators that l
CVE-2026-536088.7 HIGH@apostrophecms/seo Vulnerable to Stored XSS via Unsanitized Google Analytics / GTM ID Inje
CVE-2026-450138.1 HIGHApostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Inpu
CVE-2026-450127.6 HIGHApostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/valid
CVE-2026-450117.3 HIGHApostrophe has stored XSS via javascript: URL in Image Widget Link
CVE-2026-428536.5 MEDIUM@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input
CVE-2026-536065.4 MEDIUMsanitize-html has an incomplete URI scheme validation that allows javascript: URIs through
CVE-2026-536073.7 LOW@apostrophecms/file pretty-URL Vulnerable to Unauthenticated SSRF via Host header
CVE-2026-45014Apostrophe Vulnerable to Stored Cross-Site Scripting via Unsanitized User Display Name in

IV. Related Vulnerabilities

Same product: sanitize-html
Same vendor: apostrophecms
Same weakness: CWE-79

V. Comments for CVE-2026-44990

No comments yet

Leave a comment