9.3

CVE-2026-44990

Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue.
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
HerstellerRed Hat
Produkt Red Hat Advanced Cluster Management for Kubernetes 2.14
Default Statusaffected
HerstellerRed Hat
Produkt multicluster engine for Kubernetes 2.9
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Hardened Images
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift AI (RHOAI)
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Container Platform 4
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Dev Spaces
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Virtualization 4
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Quay 3
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Satellite 6
Default Statusaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.4% 0.319
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 9.3 2.8 5.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 8.1 2.8 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://bugzilla.redhat.com/show_bug.cgi?id=2488565
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44990.json
https://access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:36883
https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643
https://access.redhat.com/security/cve/CVE-2026-44990