CVE-2026-33979

Name of the Vulnerable Software and Affected Versions Express XSS Sanitizer versions prior to 2.0.2 Express XSS Sanitizer versions 4.x and 5.x

Description Express XSS Sanitizer, middleware for Express 4.x and 5.x, sanitizes user input data in req.body, req.query, req.headers, and req.params to prevent Cross-Site Scripting (XSS) attacks. A flaw exists where restrictive sanitization configurations are silently ignored. Specifically, when allowedTags is set to an empty array ([]) and allowedAttributes is set to an empty object ({}), the library incorrectly falls back to default permissive settings instead of stripping all HTML tags and attributes. This allows a wide range of HTML elements and attributes, such as <a href="..."> and <div>, to be injected. The issue stems from validation logic that incorrectly interprets empty configurations as not provided, leading to a mismatch between developer intent and actual behavior. The vulnerable component is the sanitization logic within the library.

Recommendations Versions prior to 2.0.2: Upgrade to version 2.0.2 or later to ensure that explicitly provided empty configurations for allowedTags and allowedAttributes are respected.