9.3
CVE-2026-44990
- EPSS 0.4%
- Veröffentlicht 12.06.2026 20:39:47
- Zuletzt bearbeitet 09.07.2026 13:17:20
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
HerstellerRed Hat
≫
Produkt
Red Hat Advanced Cluster Management for Kubernetes 2.14
Default Statusaffected
HerstellerRed Hat
≫
Produkt
multicluster engine for Kubernetes 2.9
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Hardened Images
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat OpenShift AI (RHOAI)
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat OpenShift Container Platform 4
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat OpenShift Dev Spaces
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat OpenShift Virtualization 4
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Quay 3
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Satellite 6
Default Statusaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.4% | 0.319 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 9.3 | 2.8 | 5.8 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://bugzilla.redhat.com/show_bug.cgi?id=2488565
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44990.json
https://access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:36883
https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643
https://access.redhat.com/security/cve/CVE-2026-44990