Wiz
Vulnerability DatabaseGHSA-26wg-9xf2-q495

GHSA-26wg-9xf2-q495
JavaScript vulnerability analysis and mitigation

Summary

XSS sanitization is incomplete, some attributes are missing such as oncontentvisibilityautostatechange=. This allows for the email preview to render HTML that executes arbitrary JavaScript,

Details

Sanitization is implemented here: https://github.com/novuhq/novu/blob/next/libs/application-generic/src/services/sanitize/sanitizer.service.ts With allowedAttributes: false, all attributes are allowed through sanitize-html. Even dangerous ones like oncontentvisibilityautostatechange=. The DANGEROUS_ATTRIBUTES array tries to handle this by denying more attributes after the fact, but this list is incomplete. I copied all well-known payloads from: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet And found that the oncontentvisibilityautostatechange= attribute isn't detected. PS. there seems to also be another even more lax sanitizer here, but I wasn't able to figure out where it is used: https://github.com/novuhq/novu/blob/next/packages/framework/src/utils/sanitize.utils.ts

PoC

  1. Create a new workflow and add an Email step
  2. In the body, write the following HTML code:
<a oncontentvisibilityautostatechange="alert(window.origin)" style="display:block;content-visibility:auto">
  1. Wait a second and notice the XSS popup showing the current origin:

image https://dashboard.novu.co/env/dev_env_gVtdgDEhgf1CetwX/workflows/onboarding-demo-workflow_wf_gVtdh2uV0h7j3ffK/steps/email-step_st_gVtqdgIrOkYVvP9F/editor

Impact

This may look like a Self-XSS similar to https://github.com/novuhq/novu/security/advisories/GHSA-w8vm-jx29-52fr, but it can be more impactful. First of all, if multiple users can access this dashboard, the link above can directly bring the to the email step editor to trigger the XSS. An attacker can also use the Google/GitHub OAuth flows without completing the code callback step, and send that URL to the victim to intentionally log the vicitm into the attacker's account. If the attacker has prepared an XSS payload there, they will now be allowed to view it, so it triggers.

SourceNVD

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

GHSA-9pp3-53p2-ww9vCRITICAL9.1
  • JavaScriptJavaScript
  • @vendure/core
NoYesApr 14, 2026
CVE-2026-39884HIGH8.3
  • JavaScriptJavaScript
  • mcp-server-kubernetes
NoYesApr 14, 2026
GHSA-26wg-9xf2-q495HIGH8.1
  • JavaScriptJavaScript
  • novu/api
NoYesApr 14, 2026
CVE-2026-40255MEDIUM6.1
  • JavaScriptJavaScript
  • @adonisjs/core
NoYesApr 14, 2026
GHSA-4x48-cgf9-q33fHIGHN/A
  • JavaScriptJavaScript
  • @novu/api
NoYesApr 14, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo