CVE-2026-44990

Name of the Vulnerable Software and Affected Versions sanitize-html version 2.17.3

Description A sanitizer bypass exists in the default configuration where the disallowedTagsMode: 'discard' path fails to properly handle the xmp element. Because xmp is not included in the nonTextTags list, its contents are not discarded. Instead, the ontext handler appends the text content of xmp tags directly to the output without escaping. Since htmlparser2 treats xmp as a raw-text element, any markup inside it is parsed as text but becomes live HTML or JavaScript once appended to the sanitized output. This allows a remote attacker to smuggle payloads, such as <script> tags or event handlers, leading to stored cross-site scripting (XSS) when the output is rendered in a browser.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.