← Voltar para CVEs
CVE-2026-33979
HIGH8.2
Descricao
Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.
Detalhes CVE
Pontuacao CVSS v3.18.2
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado3/27/2026
Ultima modificacao3/31/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
express_xss_sanitizer_project:express_xss_sanitizer
Fraquezas (CWE)
CWE-79CWE-183
Referencias
https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f(security-advisories@github.com)
https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2(security-advisories@github.com)
https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.