Sanitize-html
This hub aggregates every CVE we track for Sanitize-html, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
12
CVEs tracked
1
Critical
0
High
0
In CISA KEV
Severity distribution
MEDIUM11CRITICAL1
Monthly trend
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
1
0
2
2024-072026-06
Latest CVEs
The 12 most recently published vulnerabilities affecting Sanitize-html.
- CVE-2026-53606sanitize-html has an incomplete URI scheme validation that allows javascript: URIs through action, formaction, data, poster, and background attributes5.4
- CVE-2026-44990Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`9.3
- CVE-2026-40186ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements6.1
- CVE-2014-125128'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly validate the hyperreference (`href`) attribute in anchor tags (`<a>`)...6.1
- CVE-2019-25225`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` ...6.1
- CVE-2024-21501Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system...5.3
- CVE-2022-25887Regular Expression Denial of Service (ReDoS)5.3
- CVE-2021-26540Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allow...5.3
- CVE-2021-26539Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "all...5.3
- CVE-2016-1000237sanitize-html before 1.4.3 has XSS.6.1
- CVE-2017-16016Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonText...6.1
- CVE-2017-16017sanitize-html is a library for scrubbing html input for malicious values Versions 1.2.2 and below have a cross site scripting vulnerability.6.1
Product normalization is registry-driven with AI assist and human review. How it works