{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33979", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T22:20:06.210Z", "datePublished": "2026-03-27T21:29:19.759Z", "dateUpdated": "2026-03-27T21:29:19.759Z"}, "containers": {"cna": {"title": "Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)", "problemTypes": [{"descriptions": [{"cweId": "CWE-183", "lang": "en", "description": "CWE-183: Permissive List of Allowed Inputs", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq"}, {"name": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f", "tags": ["x_refsource_MISC"], "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f"}, {"name": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2"}], "affected": [{"vendor": "AhmedAdelFahim", "product": "express-xss-sanitizer", "versions": [{"version": "< 2.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:29:19.759Z"}, "descriptions": [{"lang": "en", "value": "Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden."}], "source": {"advisory": "GHSA-3843-rr4g-m8jq", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden."}], "id": "CVE-2026-33979", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T22:16:22.433", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f"}, {"source": "security-advisories@github.com", "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-183"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "express-xss-sanitizer", "source": "cna", "vendor": "AhmedAdelFahim"}, "product": "express-xss-sanitizer", "vendor": "ahmedadelfahim"}], "analysis": {"en": {"generated_at": "2026-03-28T05:53:22.908839+00:00", "value": {"mitigation_remediation": ["Upgrade express-xss-sanitizer to version 2.0.2 or later", "Validate that the allowedTags and allowedAttributes settings are correctly applied and not silently ignored", "Test the sanitization by sending known XSS payloads to confirm no script execution occurs", "Deploy a Web Application Firewall or reverse proxy that blocks malicious scripts if the application cannot be patched immediately", "Monitor logs for repetitive XSS attempts and adjust input validation rules accordingly"], "summary": {"action": "Patch", "impact": "Cross Site Scripting"}, "threat_synthesis": {"affected_systems": "The issue affects the AhmedAdelFahim:express-xss-sanitizer package used by Express 4.x and 5.x applications. Any application that incorporates versions prior to 2.0.2 is at risk.", "description_and_impact": "Express XSS Sanitizer is a middleware that validates and cleans user supplied data in Express applications. In releases earlier than 2.0.2 the logic that respects the user\u2011supplied configuration for allowedTags and allowedAttributes silently ignores those settings. The result is that any tags or attributes are permitted through to the downstream code, allowing an attacker to inject malicious JavaScript content. This injection can occur in any request vector, such as the body, query string, headers, or URL parameters, and can compromise confidentiality, integrity and availability of the application or its users via client\u2011side exploitation or session hijacking.", "risk_and_exploitability": "With a CVSS score of 8.2 the vulnerability is classified as high severity. Although the EPSS score is not published, the widespread adoption of the package and the low effort required to craft a malicious request suggest a moderate to high likelihood of exploitation. The vulnerability is not yet listed in the CISA KEV catalog, but the combination of client\u2011side impact and broad usage makes it attractive to attackers. Exploitation occurs by sending crafted payloads to endpoints that rely on the sanitizer; if the middleware configuration is mis\u2011applied, the payloads traverse the application and execute in the victim\u2019s browser."}}}}, "created": "2026-03-29T20:29:35.310379+00:00", "updated": "2026-03-30T07:00:00.786236+00:00", "vendors": ["ahmedadelfahim", "ahmedadelfahim$PRODUCT$express-xss-sanitizer"]}