CVE-2026-44990
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Unde
CVSS
9.3
Critical
EPSS
0.5%
p38
KEV
—
Exploit Today
11
0-100
Published: Jun 12, 2026 · Last modified: Jul 17, 2026 · CWE-79
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.
- github.comhttps://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36882
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36883
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:40119
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:40138
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:40262
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:41031
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:41066
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-44990
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2488565
- github.comhttps://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44990.json