sanitize-html (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package sanitize-html, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (10)
CVE-2026-44990 — CVSS 9.3 (critical): ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API…
CVE-2017-16016 — CVSS 6.1 (medium): Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting…
CVE-2017-16017 — CVSS 6.1 (medium): sanitize-html is a library for scrubbing html input for malicious values Versions 1.2.2 and below have a cross site scripting vulnerability.
CVE-2019-25225 — CVSS 6.1 (medium): `sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does…
CVE-2026-40186 — CVSS 6.1 (medium): ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1…
CVE-2022-25887 — CVSS 5.3 (medium): The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular…
CVE-2024-21501 — CVSS 5.3 (medium): Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style…
CVE-2021-26539 — CVSS 5.3 (medium): Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an…
CVE-2021-26540 — CVSS 5.3 (medium): Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when…