VYPR
Critical severity9.3GHSA Advisory· Published Jun 12, 2026· Updated Jun 15, 2026

CVE-2026-44990

CVE-2026-44990

Description

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or JavaScript. This is a sanitizer bypass in the default disallowedTagsMode: 'discard' path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sanitize-htmlnpm
>= 2.17.3, < 2.17.42.17.4

Affected products

1

Patches

Vulnerability mechanics

References

5

News mentions

1