VIR Vulnerability Intelligence Relay

Package impact

npm npm / sanitize-html

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2026-44990 critical 9.5 15d ago Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
CVE-2026-40186 unknown 1mo ago sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
CVE-2019-25225 unknown 9mo ago `sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` op…
CVE-2024-21501 unknown 2y ago Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (…
CVE-2022-25887 unknown 4y ago The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
CVE-2021-26540 unknown 5y ago Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows …
CVE-2021-26539 unknown 5y ago Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allow…
CVE-2016-1000237 unknown 6y ago sanitize-html before 1.4.3 has XSS.
CVE-2017-16016 unknown 8y ago Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTa…
CVE-2017-16017 unknown 8y ago sanitize-html is a library for scrubbing html input for malicious values Versions 1.2.2 and below have a cross site scripting vulnerability.