Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

Severity:: High

Description

Under the default configuration, sanitize-html can turn attacker-controlled content inside a disallowed xmp element into live HTML or JavaScript. This is a sanitizer bypass in the default disallowedTagsMode: 'discard' path and can lead to stored XSS in applications that render sanitized output back to users.

Recommendation

Update the sanitize-html package to the latest compatible version. Followings are version details:

Affected version(s): = 2.17.3
Patched version(s): 2.17.4

References

GHSA-rpr9-rxv7-x643
CVE-2026-44990
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements - CVE-2026-40186
SCEditor has DOM XSS via emoticon URL/HTML injection - CVE-2026-25581
Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget - CVE-2026-45012
Apostrophe has stored XSS via javascript: URL in Image Widget Link - CVE-2026-45011

How to Secure your NodeJs Express Javascript Application - part 1

CSRF, XXE, and 12 Other Security Acronyms Explained

How do hackers hack websites?

Tags:: npm; sanitize-html

Anything's wrong? Let us know Last updated on May 21, 2026