Description
OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/OWASP/java-html-sanitizer/security/advisories/GHSA-g9gq-3pfx-2gw2
Scores
CVSS v3
6.1
EPSS
0.0023
EPSS Percentile
13.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (2)
com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer
20240325.1 - 20260101.1Maven
owasp/java_html_sanitizer
20240325.1
Published
Nov 26, 2025
Tracked Since
Feb 18, 2026