CVE-2026-33979

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33979
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33979.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33979
Aliases
Published
2026-03-27T21:29:19.759Z
Modified
2026-04-02T13:29:11.106470Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
Summary
Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)
Details

Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.

Database specific 
{
    "cwe_ids": [
        "CWE-183",
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33979.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/ahmedadelfahim/express-xss-sanitizer

Affected ranges

Type
GIT
Repo
https://github.com/ahmedadelfahim/express-xss-sanitizer
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0c1f75d41e85dee9309273cb60f71ce943da0f60
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.0.2"
        }
    ]
}

Affected versions

V1.*
V1.2.0
v1.*
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.6
v2.*
v2.0.0
v2.0.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33979.json"