PatchSiren cyber security CVE debrief
CVE-2026-44990 apostrophecms CVE debrief
CVE-2026-44990 is a critical vulnerability in sanitize-html, a Node.js library used by ApostropheCMS. The vulnerability allows an attacker to bypass HTML sanitization, potentially leading to stored XSS attacks. Versions of `sanitize-html` prior to 2.17.4 are affected. The vulnerability has a CVSS score of 9.3 and is considered critical.
- Vendor
- apostrophecms
- Product
- sanitize-html
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Developers using ApostropheCMS and sanitize-html library, security teams responsible for monitoring and patching vulnerabilities
Technical summary
Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users.
Defensive priority
high
Recommended defensive actions
- Update `sanitize-html` to version 2.17.4 or later
- Review and update ApostropheCMS configurations to ensure secure usage of sanitize-html
Evidence notes
CVE-2026-44990 has a CVSS score of 9.3 and is considered critical. The vulnerability is caused by a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path.
Official resources
-
CVE-2026-44990 CVE record
CVE.org
-
CVE-2026-44990 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-44990 was published on 2026-06-12T21:16:22.447Z and has not been modified since then.