{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33979", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T22:20:06.210Z", "datePublished": "2026-03-27T21:29:19.759Z", "dateUpdated": "2026-03-31T14:29:43.694Z"}, "containers": {"cna": {"title": "Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)", "problemTypes": [{"descriptions": [{"cweId": "CWE-183", "lang": "en", "description": "CWE-183: Permissive List of Allowed Inputs", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq"}, {"name": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f", "tags": ["x_refsource_MISC"], "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f"}, {"name": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2"}], "affected": [{"vendor": "AhmedAdelFahim", "product": "express-xss-sanitizer", "versions": [{"version": "< 2.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:29:19.759Z"}, "descriptions": [{"lang": "en", "value": "Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden."}], "source": {"advisory": "GHSA-3843-rr4g-m8jq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T14:29:20.307360Z", "id": "CVE-2026-33979", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:29:43.694Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33979", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T14:29:20.307360Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:29:39.564Z"}}], "cna": {"title": "Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)", "source": {"advisory": "GHSA-3843-rr4g-m8jq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "AhmedAdelFahim", "product": "express-xss-sanitizer", "versions": [{"status": "affected", "version": "< 2.0.2"}]}], "references": [{"url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq", "name": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f", "name": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2", "name": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-183", "description": "CWE-183: Permissive List of Allowed Inputs"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:29:19.759Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33979", "state": "PUBLISHED", "dateUpdated": "2026-03-31T14:29:43.694Z", "dateReserved": "2026-03-24T22:20:06.210Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T21:29:19.759Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:express_xss_sanitizer_project:express_xss_sanitizer:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "3BCCF0CB-E43F-4D70-A024-7EE81877DDC9", "versionEndExcluding": "2.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden."}], "id": "CVE-2026-33979", "lastModified": "2026-03-31T18:24:58.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T22:16:22.433", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-183"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "express-xss-sanitizer", "source": "cna", "vendor": "AhmedAdelFahim"}, "product": "express-xss-sanitizer", "vendor": "ahmedadelfahim"}], "analysis": {"en": {"generated_at": "2026-03-31T20:07:35.772285+00:00", "value": {"mitigation_remediation": ["Upgrade express\u2011xss\u2011sanitizer to version 2.0.2 or later using npm or yarn, ensuring the application code starts using the patched dependency.", "Verify that configuration options for allowedTags and allowedAttributes are explicitly defined; the patched version now respects empty arrays but misconfiguration can still lead to unintended permissiveness.", "Run functional tests or automated XSS scanners against the customer\u2011facing endpoints to confirm that malicious payloads are no longer executed.", "Maintain a regular patch management schedule to monitor for new releases of the middleware and apply security updates promptly."], "summary": {"action": "Patch Now", "impact": "Cross\u2011site scripting via permissive sanitization"}, "threat_synthesis": {"affected_systems": "The problem affects the AhmedAdelFahim Express XSS Sanitizer package used as middleware in Express 4.x and 5.x applications. All versions before 2.0.2 are vulnerable; upgrading to 2.0.2 or later resolves the issue. Applications that rely on the package for input sanitization are at risk if they have not applied the patch or if they configure the options incorrectly.", "description_and_impact": "The Express XSS Sanitizer middleware intended to clean user input incorrectly ignores configurations for allowedTags or allowedAttributes. When these options are provided\u2014even as empty arrays\u2014the middleware passes them directly to a sanitization routine that defaults to permissive behaviour. As a result, malicious scripts injected into request bodies, queries, headers or parameters can bypass the sanitizer, allowing arbitrary JavaScript execution in the victim\u2019s browser. The weakness is a classic cross\u2011site scripting flaw, corresponding to CWE\u201179. The likely attack vector is an attacker who can send crafted HTTP requests to the application, but this conclusion is inferred from the description because the entry does not explicitly state the vector.", "risk_and_exploitability": "The CVSS base score of 8.2 classifies the flaw as high\u2011severity, indicating significant impact on confidentiality, integrity, and availability of the affected web service. The EPSS score is below 1%, suggesting a low probability of current exploitation, and the flaw is not listed in CISA\u2019s KEV catalog. Nonetheless, because the vulnerability enables arbitrary code execution via forged web requests, the potential damage is considerable and the recommended remediation is immediate."}}}}, "created": "2026-03-29T20:29:35.310379+00:00", "updated": "2026-03-31T20:11:52.593700+00:00", "vendors": ["ahmedadelfahim", "ahmedadelfahim$PRODUCT$express-xss-sanitizer"]}