202 matches found
ROOT-APP-NPM-NSWG-ECO-154 NSWG-ECO-154 in @rootio/sanitize-html - Patched by Root
Root has patched NSWG-ECO-154 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2017-16016 CVE-2017-16016 in @rootio/sanitize-html - Patched by Root
Root has patched CVE-2017-16016 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2019-25225 CVE-2019-25225 in @rootio/sanitize-html - Patched by Root
Root has patched CVE-2019-25225 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2022-25887 CVE-2022-25887 in @rootio/sanitize-html - Patched by Root
Root has patched CVE-2022-25887 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2016-1000237 CVE-2016-1000237 in @rootio/sanitize-html - Patched by Root
Root has patched CVE-2016-1000237 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2021-26540 CVE-2021-26540 in @rootio/sanitize-html - Patched by Root
Root has patched CVE-2021-26540 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2021-26539 CVE-2021-26539 in @rootio/sanitize-html - Patched by Root
Root has patched CVE-2021-26539 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2024-21501 CVE-2024-21501 in @rootio/sanitize-html - Patched by Root
Root has patched CVE-2024-21501 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
PT-2026-49160
Root has patched NSWG-ECO-154 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...
org.webjars.npm:github-com-daichirata-vue-sanitize (=0.2.2), org.webjars.npm:github-com-daichirata-vue-sanitize- (=0.2.2) potentially affected by CVE-2026-45011 via org.webjars.npm:sanitize-html (=2.7.0)
org.webjars.npm:sanitize-html MAVEN version =2.7.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:sanitize-html and may be impacted: - org.webjars.npm:github-com-daichirata-vue-sanitize =0.2.2 -...
@_sh/strapi-plugin-ckeditor (>=5.0.2 <=7.1.1), @a.agiir/cinny (>=0.0.1 <=0.0.2) +1249 more potentially affected by CVE-2026-45011 via sanitize-html (>=2.10.0 <=2.17.3)
sanitize-html NPM version =2.10.0, =5.0.2, =0.0.1, =1.0.0, =1.0.0, =0.0.1, =1.0.8, =0.6.2-alpha.0, =0.7.3, =0.6.2-alpha.0, =0.6.2-alpha.0, =0.6.2-alpha.0, =0.8.21 and more Source cves: CVE-2026-45011 Source advisory: SNYK:JS-SANITIZEHTML-16759743...
Improper Encoding or Escaping of Output
Overview sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the linkHref field handling. An...
@_sh/strapi-plugin-ckeditor (>=5.0.2 <=7.1.1), @a.agiir/cinny (>=0.0.1 <=0.0.2) +1249 more potentially affected by CVE-2026-44990 via sanitize-html (>=2.10.0 <=2.17.3)
sanitize-html NPM version =2.10.0, =5.0.2, =0.0.1, =1.0.0, =1.0.0, =0.0.1, =1.0.8, =0.6.2-alpha.0, =0.7.3, =0.6.2-alpha.0, =0.6.2-alpha.0, =0.6.2-alpha.0, =0.8.21 and more Source cves: CVE-2026-44990 Source advisory: SNYK:JS-SANITIZEHTML-16697325...
org.webjars.npm:github-com-daichirata-vue-sanitize (=0.2.2), org.webjars.npm:github-com-daichirata-vue-sanitize- (=0.2.2) potentially affected by CVE-2026-44990 via org.webjars.npm:sanitize-html (=2.7.0)
org.webjars.npm:sanitize-html MAVEN version =2.7.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:sanitize-html and may be impacted: - org.webjars.npm:github-com-daichirata-vue-sanitize =0.2.2 -...
NPM: Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
NPM: Apostrophe has default XSS via xmp raw-text passthrough in sanitize-html vulnerability discovered by ? in WordPress Npm sanitize-html versions 2.17.3...
GHSA-RPR9-RXV7-X643 Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
Summary Under the default configuration, sanitize-html can turn attacker-controlled content inside a disallowed xmp element into live HTML or JavaScript. This is a sanitizer bypass in the default disallowedTagsMode: 'discard' path and can lead to stored XSS in applications that render sanitized...
Cross-site Scripting (XSS)
Overview sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Cross-site Scripting XSS via the xmp raw-text passthrough. An attacker can...
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
Summary Under the default configuration, sanitize-html can turn attacker-controlled content inside a disallowed xmp element into live HTML or JavaScript. This is a sanitizer bypass in the default disallowedTagsMode: 'discard' path and can lead to stored XSS in applications that render sanitized...
PT-2026-41152
Name of the Vulnerable Software and Affected Versions sanitize-html version 2.17.3 Description A sanitizer bypass exists in the default configuration where the disallowedTagsMode: 'discard' path fails to properly handle the xmp element. Because xmp is not included in the nonTextTags list, its...
GHSA-9MRH-V2V3-XPFM sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
Summary Commit 49d0bb7 introduced a regression in sanitize-html that bypasses allowedTags enforcement for text inside nonTextTagsArray elements textarea and option. Entity-encoded HTML inside these elements passes through the sanitizer as decoded, unescaped HTML, allowing injection of arbitrary...