CVE-2026-33979
HIGHExpress XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)
Title source: cnaDescription
Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq
X_Refsource_Misc x_refsource_misc
https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f
X_Refsource_Misc x_refsource_misc
https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2
Scores
CVSS v3
8.2
EPSS
0.0038
EPSS Percentile
29.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-183
CWE-79
Status
published
Products (3)
AhmedAdelFahim/express-xss-sanitizer
< 2.0.2
express_xss_sanitizer_project/express_xss_sanitizer
< 2.0.2
npm/express-xss-sanitizer
0 - 2.0.2npm
Published
Mar 27, 2026
Tracked Since
Mar 29, 2026