CVE-2026-44990
published 2026-06-12CVE-2026-44990: ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default…
PriorityP350critical9.3CVSS 3.1
AVNACLPRNUIRSCCHIHAN
EPSS
0.37%
28.8th percentile
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apostrophecms | sanitize-html | < 2.17.4 | 2.17.4 |
| apostrophecms | sanitize-html | 0 – 2.17.3 | — |
| container-native-virtualization | kubevirt-console-plugin-rhel9 | — | — |
| devspaces | dashboard-rhel9 | — | — |
| multicluster-engine | console-mce-rhel9 | — | — |
| open-telemetry | opentelemetry-collector-contrib | — | — |
| openshift4 | ose-agent-installer-ui-rhel9 | — | — |
| openshift4 | ose-console | — | — |
| openshift4 | ose-console-rhel9 | — | — |
| quay | quay-rhel8 | — | — |
| quay | quay-rhel9 | — | — |
| rhacm2 | console-rhel9 | — | — |
| rhoai | odh-mlflow-rhel9 | — | — |
| satellite | iop-advisor-frontend-rhel9 | — | — |
| satellite | iop-host-inventory-frontend-rhel9 | — | — |
| satellite | iop-vulnerability-frontend-rhel9 | — | — |
CVSS provenance
nvdv3.19.3CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
vendor_redhat9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
apostrophecms apostrophe up to 2.17.3 API cross site scripting (GHSA-rpr9-rxv7-x643)
vuldb·2026-06-13·CVSS 9.3
CVE-2026-44990 [CRITICAL] apostrophecms apostrophe up to 2.17.3 API cross site scripting (GHSA-rpr9-rxv7-x643)
A vulnerability was found in apostrophecms apostrophe up to 2.17.3 and classified as problematic. This impacts an unknown function of the component API. Such manipulation leads to cross site scripting.
This vulnerability is listed as CVE-2026-44990. The attack may be performed from remote. There is no available exploit.
It is suggested to upgrade the affected component.
GHSA
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
ghsa·2026-05-14
CVE-2026-44990 [CRITICAL] CWE-79 Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
### Summary
Under the default configuration, `sanitize-html` can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users.
### Details
In `[email protected]`, the default `nonTextTags` list includes only `script`, `style`, `textarea`, and `option` in `index.js` lines 138-142. That means disallowed `xmp` tags are not treated as "drop the entire contents" tags.
Later, in the `ontext` handler at `index.js` lines 569-577, the code special-cases `textarea` and `xmp` and appends their text content directly to the
Red Hat
sanitize-html: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass
vendor_redhat·2026-06-12·CVSS 9.3
CVE-2026-44990 [CRITICAL] CWE-79 sanitize-html: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass
sanitize-html: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.
A flaw was found in the `sanitize-html` library. Under its default configuration, an attacker can embed malicious content within a disallowed `xmp` element. This vulnerability allows the attacker to
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-44990 prometheus: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 prometheus: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
CVE-2026-44990 prometheus: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 python-jupyterlab-widgets: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 python-jupyterlab-widgets: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
CVE-2026-44990 python-jupyterlab-widgets: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 jupyterlab: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 jupyterlab: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
CVE-2026-44990 jupyterlab: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 python-ipyparallel: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 python-ipyparallel: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
CVE-2026-44990 python-ipyparallel: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 prometheus: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 prometheus: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
CVE-2026-44990 prometheus: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 python-nbdime: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 python-nbdime: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
CVE-2026-44990 python-nbdime: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 python-jupyterlab-widgets: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 python-jupyterlab-widgets: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
CVE-2026-44990 python-jupyterlab-widgets: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 golang-github-apache-beam-2: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 golang-github-apache-beam-2: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
CVE-2026-44990 golang-github-apache-beam-2: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 cockatrice: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 cockatrice: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
CVE-2026-44990 cockatrice: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 glances: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 glances: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
CVE-2026-44990 glances: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 python-jupyterlab_pygments: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 python-jupyterlab_pygments: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
CVE-2026-44990 python-jupyterlab_pygments: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 python-jupyterlab_pygments: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 python-jupyterlab_pygments: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
CVE-2026-44990 python-jupyterlab_pygments: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 glances: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 glances: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
CVE-2026-44990 glances: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 python-ipyparallel: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 python-ipyparallel: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
CVE-2026-44990 python-ipyparallel: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 jupyterlab: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 jupyterlab: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
CVE-2026-44990 jupyterlab: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 python-jupytext: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
bugzilla·2026-06-25·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 python-jupytext: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
CVE-2026-44990 python-jupytext: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44990 sanitize-html: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass
bugzilla·2026-06-12·CVSS 9.3
CVE-2026-44990 [CRITICAL] CVE-2026-44990 sanitize-html: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass
CVE-2026-44990 sanitize-html: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.
https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643https://access.redhat.com/security/cve/CVE-2026-44990https://bugzilla.redhat.com/show_bug.cgi?id=2488565https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44990.json
2026-06-12
Published