Skip to main content

Sanitize Html

7 CVEs product

Monthly

CVE-2026-53606 MEDIUM PATCH This Month

Cross-site scripting in sanitize-html prior to 2.17.5 allows low-privileged attackers to inject executable `javascript:` URIs through HTML attributes that the library's scheme-blocking logic never inspects. The `naughtyHref()` function gates dangerous URI schemes only for attributes listed in `allowedSchemesAppliedToAttributes` (defaulting to `href`, `src`, and `cite`), leaving attributes such as `action`, `formaction`, `data`, `poster`, `background`, `ping`, `xlink:href`, `dynsrc`, and `lowsrc` entirely unchecked. Applications that explicitly permit any of these attributes in their sanitize-html configuration are vulnerable; no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.

XSS Node.js Sanitize Html
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2014-125128 MEDIUM POC PATCH This Month

'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Sanitize Html
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25225 npm MEDIUM POC PATCH This Month

`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Sanitize Html Red Hat
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-21501 npm MEDIUM POC PATCH This Month

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Sanitize Html Fedora
NVD GitHub
CVSS 3.1
5.3
EPSS
1.0%
CVE-2022-25887 npm HIGH PATCH This Week

The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Sanitize Html
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-26540 npm MEDIUM POC PATCH This Month

Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Sanitize Html
NVD GitHub
CVSS 3.1
5.3
EPSS
1.8%
CVE-2021-26539 npm MEDIUM POC PATCH This Month

Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Sanitize Html
NVD GitHub
CVSS 3.1
5.3
EPSS
2.0%
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in sanitize-html prior to 2.17.5 allows low-privileged attackers to inject executable `javascript:` URIs through HTML attributes that the library's scheme-blocking logic never inspects. The `naughtyHref()` function gates dangerous URI schemes only for attributes listed in `allowedSchemesAppliedToAttributes` (defaulting to `href`, `src`, and `cite`), leaving attributes such as `action`, `formaction`, `data`, `poster`, `background`, `ping`, `xlink:href`, `dynsrc`, and `lowsrc` entirely unchecked. Applications that explicitly permit any of these attributes in their sanitize-html configuration are vulnerable; no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.

XSS Node.js Sanitize Html
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Sanitize Html
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Sanitize Html Red Hat
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Sanitize Html Fedora
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Sanitize Html
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM POC PATCH This Month

Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Sanitize Html
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM POC PATCH This Month

Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Sanitize Html
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy