CVE-2026-44990
critical
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
9.5
Description
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | sanitize-html | >=2.17.3,<2.17.4 | 2.17.4 |
| NPM | sanitize-html | = 2.17.3 | 2.17.4 |
References
- https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643
- https://github.com/apostrophecms/apostrophe/issues/5418
- https://github.com/apostrophecms/apostrophe/commit/8d4c882b4ed3a7ce802cd87f89f0c1cb7482b8c2
- https://github.com/apostrophecms/apostrophe
- https://github.com/advisories/GHSA-rpr9-rxv7-x643
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.