cbcvebase.
CVE-2026-44990
published 2026-06-12

CVE-2026-44990: ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default…

PriorityP350critical9.3CVSS 3.1
AVNACLPRNUIRSCCHIHAN
EPSS
0.37%
28.8th percentile
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.

Affected

16 ranges
VendorProductVersion rangeFixed in
apostrophecmssanitize-html< 2.17.42.17.4
apostrophecmssanitize-html0 – 2.17.3
container-native-virtualizationkubevirt-console-plugin-rhel9
devspacesdashboard-rhel9
multicluster-engineconsole-mce-rhel9
open-telemetryopentelemetry-collector-contrib
openshift4ose-agent-installer-ui-rhel9
openshift4ose-console
openshift4ose-console-rhel9
quayquay-rhel8
quayquay-rhel9
rhacm2console-rhel9
rhoaiodh-mlflow-rhel9
satelliteiop-advisor-frontend-rhel9
satelliteiop-host-inventory-frontend-rhel9
satelliteiop-vulnerability-frontend-rhel9

CVSS provenance

nvdv3.19.3CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
vendor_redhat9.3CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.