Critical severity9.3GHSA Advisory· Published Jun 12, 2026· Updated Jun 15, 2026
CVE-2026-44990
CVE-2026-44990
Description
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or JavaScript. This is a sanitizer bypass in the default disallowedTagsMode: 'discard' path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sanitize-htmlnpm | >= 2.17.3, < 2.17.4 | 2.17.4 |
Affected products
1- Range: <= 2.17.3
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-rpr9-rxv7-x643ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-44990ghsaADVISORY
- github.com/apostrophecms/apostrophe/commit/8d4c882b4ed3a7ce802cd87f89f0c1cb7482b8c2ghsaWEB
- github.com/apostrophecms/apostrophe/issues/5418ghsaWEB
- github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643nvdWEB
News mentions
1- ApostropheCMS: Nine CVEs Disclosed in Single-Day Batch Including Two Critical FlawsVypr Intelligence · Jun 12, 2026