← Volver a CVEs
CVE-2026-33979
HIGH8.2
Descripcion
Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.
Detalles CVE
Puntuacion CVSS v3.18.2
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado3/27/2026
Ultima modificacion3/31/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
express_xss_sanitizer_project:express_xss_sanitizer
Debilidades (CWE)
CWE-79CWE-183
Referencias
https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f(security-advisories@github.com)
https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2(security-advisories@github.com)
https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq(security-advisories@github.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.