External risk intelligence

sanitize-html Bypass in ApostropheCMS Leads to Stored Cross-Site Scripting

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-44990

A vulnerability in the `sanitize-html` library, used by ApostropheCMS, can allow attacker-controlled content within an `xmp` element to be rendered as live HTML or JavaScript. This bypasses intended security, potentially leading to stored cross-site scripting if unsanitized user input is displayed to others. The issue

4Halo Surface Signal

Cross-site Scripting

External exposure likelihood

Halo Surface Signal score for CVE-2026-44990

The vulnerability affects a content management system and a library used to sanitize web content. CMS platforms and web applications are commonly deployed as internet-facing services, and this vulnerability impacts how user-provided content is rendered, which is a frequent requirement for public-facing websites and applications.

PCI scan relevance

PCI Relevance for CVE-2026-44990

Yes

CVE-2026-44990 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This sanitizer bypass vulnerability in sanitize-html allows for stored XSS, which can lead to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in a widely used content sanitization library, `sanitize-html`, could allow malicious content to execute as live HTML or JavaScript within applications. This bypasses the intended security controls, potentially leading to stored cross-site scripting attacks if user-provided content is rendered back to other users.

  • Content sanitization can be bypassed.
  • Affects how user content is displayed.
  • Confirm relevance and check for exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by submitting specially crafted content to a web application that uses a vulnerable version of the `sanitize-html` library. If the application renders this content back to users without proper sanitization, the attacker-controlled input within an `xmp` tag could be interpreted as live HTML or JavaScript, leading to cross-site scripting.

  • Content can be submitted to the application.
  • The library fails to sanitize `xmp` tags.
  • Stored XSS can impact users.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow attackers to inject malicious HTML or JavaScript into web applications that use `sanitize-html` in its default configuration. When user-supplied content, specifically within an `xmp` element, is processed by a vulnerable version of the sanitizer, it may be rendered as executable code. This could occur in applications that display user-generated content without adequate further sanitization, potentially impacting stored data and user sessions.

  • Stored HTML and JavaScript could be affected.
  • Attacker-controlled content in `xmp` elements.
  • Stored cross-site scripting (XSS) could occur.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Application and platform teams are responsible for addressing this vulnerability in ApostropheCMS and its `sanitize-html` dependency. The first step is to identify all deployments of `sanitize-html`, confirm their reachability and criticality, and then assign ownership for remediation.

  • Own the issue: Application and Platform Teams.
  • Verify first: Identify vulnerable instances.
  • Action: Plan and coordinate updates.

Frequently asked questions

What is ApostropheCMS and sanitize-html?

ApostropheCMS is a Node.js-based content management system used to build websites. It relies on the sanitize-html library to clean user-submitted content before it is displayed, ensuring that malicious code cannot be embedded into pages. When this library functions correctly, it strips out dangerous tags, allowing only safe HTML to be rendered.

What does CVE-2026-44990 mean for security?

This CVE describes a sanitizer bypass, specifically categorized as CWE-79 (Cross-site Scripting). It means the library fails to properly clean specific HTML tags. Instead of discarding forbidden content as expected, the system may treat it as executable code. This flaw allows an attacker to store malicious scripts on a site, which then execute in the browsers of other users who view that content.

How is this sanitization bypass triggered?

The bypass occurs when an attacker includes content within an `xmp` tag that is processed by a vulnerable version of the library. It does not trigger if the application is not using the default 'discard' configuration for disallowed tags, or if the input does not contain the specific `xmp` element structure that causes the sanitizer to fail.

Is my application at risk according to Halo Surface Signal?

Halo Surface Signal identifies this as a likely risk because content management systems are typically internet-facing to serve public web traffic. Since the vulnerability involves how user-provided content is rendered—a standard function for most public websites—any application using a vulnerable version that accepts user input faces a higher risk of exploitation.

What steps should I take if I use this software?

Start by identifying all applications in your environment that utilize the sanitize-html library. Verify which versions are currently in use across your deployments. If you find versions prior to 2.17.4, coordinate with your development team to update the library to the patched version, which corrects the handling of the problematic tag.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished