{"url":"http://public2.vulnerablecode.io/api/packages/199107?format=json","purl":"pkg:npm/sanitize-html@0.1.2","type":"npm","namespace":"","name":"sanitize-html","version":"0.1.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.12.1","latest_non_vulnerable_version":"2.17.4","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54036?format=json","vulnerability_id":"VCID-11dz-y42w-ckg9","summary":"Origin Validation Error\nsanitize-html does not properly validate the hostnames set by the `allowedIframeHostnames` option when the `allowIframeRelativeUrls` is set to true, which allows attackers to bypass the hostname allow list for an iframe element.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26540.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26540.json"},{"reference_url":"https://advisory.checkmarx.net/advisory/CX-2021-4309","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://advisory.checkmarx.net/advisory/CX-2021-4309"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26540","reference_id":"","reference_type":"","scores":[{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52577","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52532","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52592","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52601","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52582","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52554","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26540"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/460","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/pull/460"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932323","reference_id":"1932323","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932323"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26540","reference_id":"CVE-2021-26540","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26540"},{"reference_url":"https://github.com/advisories/GHSA-mjxr-4v3x-q3m4","reference_id":"GHSA-mjxr-4v3x-q3m4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mjxr-4v3x-q3m4"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2438","reference_id":"RHSA-2021:2438","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2438"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3759","reference_id":"RHSA-2021:3759","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3759"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79706?format=json","purl":"pkg:npm/sanitize-html@2.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-56sx-chsd-nqfx"},{"vulnerability":"VCID-afdc-yaky-x7g8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@2.3.2"}],"aliases":["CVE-2021-26540","GHSA-mjxr-4v3x-q3m4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-11dz-y42w-ckg9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95185?format=json","vulnerability_id":"VCID-56sx-chsd-nqfx","summary":"The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25887.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25887.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25887","reference_id":"","reference_type":"","scores":[{"value":"0.00097","scoring_system":"epss","scoring_elements":"0.26708","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00097","scoring_system":"epss","scoring_elements":"0.26794","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00097","scoring_system":"epss","scoring_elements":"0.26754","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00097","scoring_system":"epss","scoring_elements":"0.26699","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00447","scoring_system":"epss","scoring_elements":"0.6385","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00447","scoring_system":"epss","scoring_elements":"0.63892","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25887"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/557","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/pull/557"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25887","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25887"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019219","reference_id":"1019219","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019219"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2123376","reference_id":"2123376","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2123376"},{"reference_url":"https://github.com/advisories/GHSA-cgfm-xwp7-2cvr","reference_id":"GHSA-cgfm-xwp7-2cvr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cgfm-xwp7-2cvr"},{"reference_url":"https://usn.ubuntu.com/7464-1/","reference_id":"USN-7464-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7464-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/147943?format=json","purl":"pkg:npm/sanitize-html@2.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-afdc-yaky-x7g8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@2.7.1"}],"aliases":["CVE-2022-25887","GHSA-cgfm-xwp7-2cvr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-56sx-chsd-nqfx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54039?format=json","vulnerability_id":"VCID-6jud-1rcn-zkhx","summary":"Origin Validation Error\nsanitize-html does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass the hostname allowlist validation set by the `allowedIframeHostnames` option.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26539.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26539.json"},{"reference_url":"https://advisory.checkmarx.net/advisory/CX-2021-4308","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://advisory.checkmarx.net/advisory/CX-2021-4308"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26539","reference_id":"","reference_type":"","scores":[{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52582","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52601","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52592","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52532","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52577","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52554","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26539"},{"reference_url":"https://github.com/apostrophecms/sanitize-html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/458","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/pull/458"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932362","reference_id":"1932362","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932362"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26539","reference_id":"CVE-2021-26539","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26539"},{"reference_url":"https://github.com/advisories/GHSA-rjqq-98f6-6j3r","reference_id":"GHSA-rjqq-98f6-6j3r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rjqq-98f6-6j3r"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:5633","reference_id":"RHSA-2020:5633","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:5633"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2438","reference_id":"RHSA-2021:2438","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2438"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3759","reference_id":"RHSA-2021:3759","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3759"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79710?format=json","purl":"pkg:npm/sanitize-html@2.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dz-y42w-ckg9"},{"vulnerability":"VCID-56sx-chsd-nqfx"},{"vulnerability":"VCID-afdc-yaky-x7g8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@2.3.1"}],"aliases":["CVE-2021-26539","GHSA-rjqq-98f6-6j3r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6jud-1rcn-zkhx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47114?format=json","vulnerability_id":"VCID-afdc-yaky-x7g8","summary":"sanitize-html Information Exposure vulnerability\nVersions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21501.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21501.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21501","reference_id":"","reference_type":"","scores":[{"value":"0.01807","scoring_system":"epss","scoring_elements":"0.83192","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01807","scoring_system":"epss","scoring_elements":"0.8319","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01807","scoring_system":"epss","scoring_elements":"0.8318","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01807","scoring_system":"epss","scoring_elements":"0.83186","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01807","scoring_system":"epss","scoring_elements":"0.83191","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21501"},{"reference_url":"https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf"},{"reference_url":"https://github.com/apostrophecms/apostrophe/discussions/4436","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://github.com/apostrophecms/apostrophe/discussions/4436"},{"reference_url":"https://github.com/apostrophecms/sanitize-html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/650","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/pull/650"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064808","reference_id":"1064808","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064808"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266111","reference_id":"2266111","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266111"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/","reference_id":"4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21501","reference_id":"CVE-2024-21501","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21501"},{"reference_url":"https://github.com/advisories/GHSA-rm97-x556-q36h","reference_id":"GHSA-rm97-x556-q36h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rm97-x556-q36h"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/","reference_id":"P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1770","reference_id":"RHSA-2024:1770","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1770"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69122?format=json","purl":"pkg:npm/sanitize-html@2.12.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@2.12.1"}],"aliases":["CVE-2024-21501","GHSA-rm97-x556-q36h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-afdc-yaky-x7g8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38053?format=json","vulnerability_id":"VCID-c2pb-5vhq-n7ce","summary":"XSS Vulnerability\nsanitize-html is vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one `nonTextTags`, the result is a potential XSS vulnerability.","references":[{"reference_url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403"},{"reference_url":"https://github.com/punkave/sanitize-html/issues/100","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/punkave/sanitize-html/issues/100"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52584?format=json","purl":"pkg:npm/sanitize-html@1.11.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dz-y42w-ckg9"},{"vulnerability":"VCID-56sx-chsd-nqfx"},{"vulnerability":"VCID-6jud-1rcn-zkhx"},{"vulnerability":"VCID-afdc-yaky-x7g8"},{"vulnerability":"VCID-g191-pjq9-7bht"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.11.4"}],"aliases":["GMS-2016-17"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c2pb-5vhq-n7ce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39765?format=json","vulnerability_id":"VCID-cccv-dkqw-xyhu","summary":"Cross-site Scripting\nsanitize-html has a cross site scripting vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16017","reference_id":"","reference_type":"","scores":[{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50171","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50145","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50126","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50155","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.501","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50162","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16017"},{"reference_url":"https://github.com/advisories/GHSA-wg96-3933-j2w5","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wg96-3933-j2w5"},{"reference_url":"https://github.com/punkave/sanitize-html/issues/19","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/issues/19"},{"reference_url":"https://github.com/punkave/sanitize-html/pull/20","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/pull/20"},{"reference_url":"https://www.npmjs.com/advisories/155","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/155"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16017","reference_id":"CVE-2017-16017","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16017"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51920?format=json","purl":"pkg:npm/sanitize-html@1.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dz-y42w-ckg9"},{"vulnerability":"VCID-56sx-chsd-nqfx"},{"vulnerability":"VCID-6jud-1rcn-zkhx"},{"vulnerability":"VCID-afdc-yaky-x7g8"},{"vulnerability":"VCID-c2pb-5vhq-n7ce"},{"vulnerability":"VCID-g191-pjq9-7bht"},{"vulnerability":"VCID-phaj-5jsn-pqfj"},{"vulnerability":"VCID-trf9-qcqm-97hu"},{"vulnerability":"VCID-unxn-wmqx-57cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.2.3"}],"aliases":["CVE-2017-16017","GHSA-wg96-3933-j2w5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cccv-dkqw-xyhu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58099?format=json","vulnerability_id":"VCID-g191-pjq9-7bht","summary":"sanitize-html is vulnerable to XSS through incomprehensive sanitization\n`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-25225.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-25225.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-25225","reference_id":"","reference_type":"","scores":[{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23534","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23565","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23648","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23631","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23585","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.2353","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-25225"},{"reference_url":"https://github.com/apostrophecms/sanitize-html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/issues/293","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/issues/293"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/156","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/pull/156"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2393838","reference_id":"2393838","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2393838"},{"reference_url":"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225","reference_id":"CVE-2019-25225","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25225","reference_id":"CVE-2019-25225","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25225"},{"reference_url":"https://github.com/advisories/GHSA-qhxp-v273-g94h","reference_id":"GHSA-qhxp-v273-g94h","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qhxp-v273-g94h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86461?format=json","purl":"pkg:npm/sanitize-html@2.0.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dz-y42w-ckg9"},{"vulnerability":"VCID-56sx-chsd-nqfx"},{"vulnerability":"VCID-6jud-1rcn-zkhx"},{"vulnerability":"VCID-afdc-yaky-x7g8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@2.0.0-beta"}],"aliases":["CVE-2019-25225","GHSA-qhxp-v273-g94h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g191-pjq9-7bht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39732?format=json","vulnerability_id":"VCID-phaj-5jsn-pqfj","summary":"Cross-site Scripting\nSanitize-html is vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one `nonTextTags`, the result is a potential XSS vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16016","reference_id":"","reference_type":"","scores":[{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.52318","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.5228","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.5234","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.52347","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.52327","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.52298","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16016"},{"reference_url":"https://github.com/advisories/GHSA-xc6g-ggrc-qq4r","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xc6g-ggrc-qq4r"},{"reference_url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403"},{"reference_url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))"},{"reference_url":"https://github.com/punkave/sanitize-html/issues/100","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/issues/100"},{"reference_url":"https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag"},{"reference_url":"https://www.npmjs.com/advisories/154","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/154"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16016","reference_id":"CVE-2017-16016","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16016"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55566?format=json","purl":"pkg:npm/sanitize-html@1.11.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dz-y42w-ckg9"},{"vulnerability":"VCID-56sx-chsd-nqfx"},{"vulnerability":"VCID-6jud-1rcn-zkhx"},{"vulnerability":"VCID-afdc-yaky-x7g8"},{"vulnerability":"VCID-c2pb-5vhq-n7ce"},{"vulnerability":"VCID-g191-pjq9-7bht"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.11.2"},{"url":"http://public2.vulnerablecode.io/api/packages/52584?format=json","purl":"pkg:npm/sanitize-html@1.11.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dz-y42w-ckg9"},{"vulnerability":"VCID-56sx-chsd-nqfx"},{"vulnerability":"VCID-6jud-1rcn-zkhx"},{"vulnerability":"VCID-afdc-yaky-x7g8"},{"vulnerability":"VCID-g191-pjq9-7bht"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.11.4"}],"aliases":["CVE-2017-16016","GHSA-xc6g-ggrc-qq4r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-phaj-5jsn-pqfj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30548?format=json","vulnerability_id":"VCID-trf9-qcqm-97hu","summary":"XSS - Sanitization not applied recursively\nSanitization of HTML strings is not applied recursively to input, allowing an attacker to potentially inject script and other markup.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000237","reference_id":"","reference_type":"","scores":[{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47432","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47465","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47451","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47481","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47499","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47497","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000237"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/issues/29","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/issues/29"},{"reference_url":"https://github.com/punkave/sanitize-html/issues/29","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/issues/29"},{"reference_url":"https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json"},{"reference_url":"https://www.npmjs.com/advisories/135","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/135"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/135.json","reference_id":"135","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/135.json"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000237","reference_id":"CVE-2016-1000237","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000237"},{"reference_url":"https://github.com/advisories/GHSA-3j7m-hmh3-9jmp","reference_id":"GHSA-3j7m-hmh3-9jmp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3j7m-hmh3-9jmp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6595?format=json","purl":"pkg:npm/sanitize-html@1.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dz-y42w-ckg9"},{"vulnerability":"VCID-56sx-chsd-nqfx"},{"vulnerability":"VCID-6jud-1rcn-zkhx"},{"vulnerability":"VCID-afdc-yaky-x7g8"},{"vulnerability":"VCID-c2pb-5vhq-n7ce"},{"vulnerability":"VCID-g191-pjq9-7bht"},{"vulnerability":"VCID-phaj-5jsn-pqfj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.4.3"}],"aliases":["CVE-2016-1000237","GHSA-3j7m-hmh3-9jmp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-trf9-qcqm-97hu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38185?format=json","vulnerability_id":"VCID-unxn-wmqx-57cq","summary":"XSS - Sanitization not applied recursively\nSanitization of HTML strings is not applied recursively to input, allowing an attacker to potentially inject script and other markup.","references":[{"reference_url":"https://github.com/punkave/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/punkave/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf"},{"reference_url":"https://github.com/punkave/sanitize-html/issues/29","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/punkave/sanitize-html/issues/29"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6595?format=json","purl":"pkg:npm/sanitize-html@1.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dz-y42w-ckg9"},{"vulnerability":"VCID-56sx-chsd-nqfx"},{"vulnerability":"VCID-6jud-1rcn-zkhx"},{"vulnerability":"VCID-afdc-yaky-x7g8"},{"vulnerability":"VCID-c2pb-5vhq-n7ce"},{"vulnerability":"VCID-g191-pjq9-7bht"},{"vulnerability":"VCID-phaj-5jsn-pqfj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.4.3"}],"aliases":["GMS-2016-57"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-unxn-wmqx-57cq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37725?format=json","vulnerability_id":"VCID-xpd8-acbr-ffab","summary":"Cross Site Scripting\nsanitize-html will merge an incomplete attribute like `SRC=` with the next attribute. While the result is not valid HTML it may be misinterpreted by the browser.","references":[{"reference_url":"https://github.com/punkave/sanitize-html/issues/19","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/punkave/sanitize-html/issues/19"},{"reference_url":"https://github.com/punkave/sanitize-html/pull/20","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/punkave/sanitize-html/pull/20"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51920?format=json","purl":"pkg:npm/sanitize-html@1.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dz-y42w-ckg9"},{"vulnerability":"VCID-56sx-chsd-nqfx"},{"vulnerability":"VCID-6jud-1rcn-zkhx"},{"vulnerability":"VCID-afdc-yaky-x7g8"},{"vulnerability":"VCID-c2pb-5vhq-n7ce"},{"vulnerability":"VCID-g191-pjq9-7bht"},{"vulnerability":"VCID-phaj-5jsn-pqfj"},{"vulnerability":"VCID-trf9-qcqm-97hu"},{"vulnerability":"VCID-unxn-wmqx-57cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.2.3"}],"aliases":["GMS-2014-17"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xpd8-acbr-ffab"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@0.1.2"}