CVE-2026-44990 CRITICAL

CVE-2026-44990: Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

Vendor Apostrophecms
Product sanitize-html
Weakness CWE-79 · XSS
Published June 12, 2026
Last update June 30, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 30, 2026 Record updated