CVE-2026-33979

Exploit

EPSS 0.38%
Veröffentlicht 27.03.2026 21:29:19
Zuletzt bearbeitet 31.03.2026 18:24:58
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)

Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Express Xss Sanitizer Project ≫ Express Xss Sanitizer SwPlatformnode.js Version < 2.0.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.38%	0.298

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CWE-183 Permissive List of Allowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq

Vendor Advisory

Exploit

Mitigation

https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f

Patch

https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-33979

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33979

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33979

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33979