CVE-2017-16016 — Cross-site Scripting in Sanitize-html

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 47.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apostrophecms Sanitize-html Punkave Sanitize-html Hackerone Sanitize-html Node Module

Timeline

PublishedJun 4

Latest updateJan 27

Description

Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶npmapostrophecms/sanitize-html< 1.11.4

▶NVDpunkave/sanitize-html1.11.1

▶CVEListV5hackerone/sanitize-html_node_module<=1.11.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Cross-Site Scripting in sanitize-html↗2018-11-09

▶

GHSA

Cross-Site Scripting in sanitize-html↗2018-11-09

▶

CVEList

CVE-2017-16016: Sanitize-html is a library for scrubbing html input of malicious values↗2018-06-04

▶

📋Vendor Advisories

Debian

CVE-2017-16016: node-sanitize-html - Sanitize-html is a library for scrubbing html input of malicious values. Version...↗2017

▶

📄Research Papers

arXiv

AgenticSCR: An Autonomous Agentic Secure Code Review for Immature Vulnerabilities Detection↗2026-01-27

▶