{"url":"http://public2.vulnerablecode.io/api/packages/391154?format=json","purl":"pkg:npm/sanitize-html@1.1.3","type":"npm","namespace":"","name":"sanitize-html","version":"1.1.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.12.1","latest_non_vulnerable_version":"2.17.4","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46016?format=json","vulnerability_id":"VCID-2qdt-uasq-v7e7","summary":"sanitize-html: improper validation of hostnames set by the \"allowedIframeHostnames\" option can lead to bypass hostname whitelist for iframe element","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26540.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26540.json"},{"reference_url":"https://advisory.checkmarx.net/advisory/CX-2021-4309","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://advisory.checkmarx.net/advisory/CX-2021-4309"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26540","reference_id":"","reference_type":"","scores":[{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52504","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26540"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/460","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/pull/460"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26540","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26540"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932323","reference_id":"1932323","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932323"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2438","reference_id":"RHSA-2021:2438","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2438"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3759","reference_id":"RHSA-2021:3759","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3759"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80290?format=json","purl":"pkg:npm/sanitize-html@2.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4hp7-5eyr-ukge"},{"vulnerability":"VCID-w4zq-t3s1-vqhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@2.3.2"}],"aliases":["CVE-2021-26540","GHSA-mjxr-4v3x-q3m4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2qdt-uasq-v7e7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47344?format=json","vulnerability_id":"VCID-43kt-n5qa-77cp","summary":"Cross-Site Scripting in sanitize-html\nAffected versions of `sanitize-html` are vulnerable to cross-site scripting.\n\n## Proof of Concept:\n\n`<IMG SRC= onmouseover=\"alert('XSS');\">`\nproduces the following:\n\n`<img src=\"onmouseover=\"alert('XSS');\"\" />`\nThis is definitely invalid HTML, but would suggest that it's being interpreted incorrectly by the parser.\n\n\n## Recommendation\n\nUpdate to version 1.2.3 or later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16017","reference_id":"","reference_type":"","scores":[{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50063","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16017"},{"reference_url":"https://github.com/advisories/GHSA-wg96-3933-j2w5","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wg96-3933-j2w5"},{"reference_url":"https://github.com/punkave/sanitize-html/issues/19","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/issues/19"},{"reference_url":"https://github.com/punkave/sanitize-html/pull/20","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/pull/20"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16017","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16017"},{"reference_url":"https://www.npmjs.com/advisories/155","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/155"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82384?format=json","purl":"pkg:npm/sanitize-html@1.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qdt-uasq-v7e7"},{"vulnerability":"VCID-4hp7-5eyr-ukge"},{"vulnerability":"VCID-7xft-898y-eff2"},{"vulnerability":"VCID-947j-sswe-cqbg"},{"vulnerability":"VCID-cejk-e2vq-tyfx"},{"vulnerability":"VCID-h373-vdqp-dbds"},{"vulnerability":"VCID-hcm4-42et-t7hy"},{"vulnerability":"VCID-v5ap-7sg3-w3aw"},{"vulnerability":"VCID-w4zq-t3s1-vqhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.2.3"}],"aliases":["CVE-2017-16017","GHSA-wg96-3933-j2w5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-43kt-n5qa-77cp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10557?format=json","vulnerability_id":"VCID-4hp7-5eyr-ukge","summary":"sanitize-html Information Exposure vulnerability\nVersions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21501.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21501.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21501","reference_id":"","reference_type":"","scores":[{"value":"0.01807","scoring_system":"epss","scoring_elements":"0.83134","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21501"},{"reference_url":"https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf"},{"reference_url":"https://github.com/apostrophecms/apostrophe/discussions/4436","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://github.com/apostrophecms/apostrophe/discussions/4436"},{"reference_url":"https://github.com/apostrophecms/sanitize-html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/650","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/pull/650"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21501","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21501"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064808","reference_id":"1064808","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064808"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266111","reference_id":"2266111","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266111"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/","reference_id":"4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/"},{"reference_url":"https://github.com/advisories/GHSA-rm97-x556-q36h","reference_id":"GHSA-rm97-x556-q36h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rm97-x556-q36h"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/","reference_id":"P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-28T17:45:45Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1770","reference_id":"RHSA-2024:1770","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1770"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27315?format=json","purl":"pkg:npm/sanitize-html@2.12.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@2.12.1"}],"aliases":["CVE-2024-21501","GHSA-rm97-x556-q36h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4hp7-5eyr-ukge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/115473?format=json","vulnerability_id":"VCID-7xft-898y-eff2","summary":"XSS Vulnerability\nsanitize-html is vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one `nonTextTags`, the result is a potential XSS vulnerability.","references":[{"reference_url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403"},{"reference_url":"https://github.com/punkave/sanitize-html/issues/100","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/punkave/sanitize-html/issues/100"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82395?format=json","purl":"pkg:npm/sanitize-html@1.11.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qdt-uasq-v7e7"},{"vulnerability":"VCID-4hp7-5eyr-ukge"},{"vulnerability":"VCID-h373-vdqp-dbds"},{"vulnerability":"VCID-hcm4-42et-t7hy"},{"vulnerability":"VCID-w4zq-t3s1-vqhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.11.4"}],"aliases":["GMS-2016-17"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7xft-898y-eff2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/115702?format=json","vulnerability_id":"VCID-947j-sswe-cqbg","summary":"XSS - Sanitization not applied recursively\nSanitization of HTML strings is not applied recursively to input, allowing an attacker to potentially inject script and other markup.","references":[{"reference_url":"https://github.com/punkave/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/punkave/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf"},{"reference_url":"https://github.com/punkave/sanitize-html/issues/29","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/punkave/sanitize-html/issues/29"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73248?format=json","purl":"pkg:npm/sanitize-html@1.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qdt-uasq-v7e7"},{"vulnerability":"VCID-4hp7-5eyr-ukge"},{"vulnerability":"VCID-7xft-898y-eff2"},{"vulnerability":"VCID-h373-vdqp-dbds"},{"vulnerability":"VCID-hcm4-42et-t7hy"},{"vulnerability":"VCID-v5ap-7sg3-w3aw"},{"vulnerability":"VCID-w4zq-t3s1-vqhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.4.3"}],"aliases":["GMS-2016-57"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-947j-sswe-cqbg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39438?format=json","vulnerability_id":"VCID-cejk-e2vq-tyfx","summary":"Cross-Site Scripting in sanitize-html\nAffected versions of `sanitize-html` do not sanitize input recursively, which may allow an attacker to execute arbitrary Javascript.\n\n\n## Recommendation\n\nUpdate to version 1.4.3 or later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000237","reference_id":"","reference_type":"","scores":[{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47407","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000237"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/issues/29","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/issues/29"},{"reference_url":"https://github.com/punkave/sanitize-html/issues/29","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/issues/29"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000237","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000237"},{"reference_url":"https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json"},{"reference_url":"https://www.npmjs.com/advisories/135","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/135"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/135.json","reference_id":"135","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/135.json"},{"reference_url":"https://github.com/advisories/GHSA-3j7m-hmh3-9jmp","reference_id":"GHSA-3j7m-hmh3-9jmp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3j7m-hmh3-9jmp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73248?format=json","purl":"pkg:npm/sanitize-html@1.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qdt-uasq-v7e7"},{"vulnerability":"VCID-4hp7-5eyr-ukge"},{"vulnerability":"VCID-7xft-898y-eff2"},{"vulnerability":"VCID-h373-vdqp-dbds"},{"vulnerability":"VCID-hcm4-42et-t7hy"},{"vulnerability":"VCID-v5ap-7sg3-w3aw"},{"vulnerability":"VCID-w4zq-t3s1-vqhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.4.3"}],"aliases":["CVE-2016-1000237","GHSA-3j7m-hmh3-9jmp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cejk-e2vq-tyfx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/114899?format=json","vulnerability_id":"VCID-evm5-dstk-h7bv","summary":"Cross Site Scripting\nsanitize-html will merge an incomplete attribute like `SRC=` with the next attribute. While the result is not valid HTML it may be misinterpreted by the browser.","references":[{"reference_url":"https://github.com/punkave/sanitize-html/issues/19","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/punkave/sanitize-html/issues/19"},{"reference_url":"https://github.com/punkave/sanitize-html/pull/20","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/punkave/sanitize-html/pull/20"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82384?format=json","purl":"pkg:npm/sanitize-html@1.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qdt-uasq-v7e7"},{"vulnerability":"VCID-4hp7-5eyr-ukge"},{"vulnerability":"VCID-7xft-898y-eff2"},{"vulnerability":"VCID-947j-sswe-cqbg"},{"vulnerability":"VCID-cejk-e2vq-tyfx"},{"vulnerability":"VCID-h373-vdqp-dbds"},{"vulnerability":"VCID-hcm4-42et-t7hy"},{"vulnerability":"VCID-v5ap-7sg3-w3aw"},{"vulnerability":"VCID-w4zq-t3s1-vqhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.2.3"}],"aliases":["GMS-2014-17"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-evm5-dstk-h7bv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18350?format=json","vulnerability_id":"VCID-h373-vdqp-dbds","summary":"sanitize-html: sanitize-html cross site scripting","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-25225.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-25225.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-25225","reference_id":"","reference_type":"","scores":[{"value":"0.00071","scoring_system":"epss","scoring_elements":"0.21941","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-25225"},{"reference_url":"https://github.com/apostrophecms/sanitize-html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/issues/293","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/issues/293"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/156","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/apostrophecms/sanitize-html/pull/156"},{"reference_url":"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-08T15:17:07Z/"}],"url":"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25225","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25225"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2393838","reference_id":"2393838","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2393838"},{"reference_url":"https://github.com/advisories/GHSA-qhxp-v273-g94h","reference_id":"GHSA-qhxp-v273-g94h","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qhxp-v273-g94h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62593?format=json","purl":"pkg:npm/sanitize-html@2.0.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qdt-uasq-v7e7"},{"vulnerability":"VCID-4hp7-5eyr-ukge"},{"vulnerability":"VCID-hcm4-42et-t7hy"},{"vulnerability":"VCID-w4zq-t3s1-vqhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@2.0.0-beta"}],"aliases":["CVE-2019-25225","GHSA-qhxp-v273-g94h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h373-vdqp-dbds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45854?format=json","vulnerability_id":"VCID-hcm4-42et-t7hy","summary":"Improper Input Validation in sanitize-html\nApostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the \"allowedIframeHostnames\" option.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26539.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26539.json"},{"reference_url":"https://advisory.checkmarx.net/advisory/CX-2021-4308","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://advisory.checkmarx.net/advisory/CX-2021-4308"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26539","reference_id":"","reference_type":"","scores":[{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52504","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-26539"},{"reference_url":"https://github.com/apostrophecms/sanitize-html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/458","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/pull/458"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26539","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26539"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932362","reference_id":"1932362","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932362"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:5633","reference_id":"RHSA-2020:5633","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:5633"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2438","reference_id":"RHSA-2021:2438","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2438"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3759","reference_id":"RHSA-2021:3759","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3759"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79949?format=json","purl":"pkg:npm/sanitize-html@2.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qdt-uasq-v7e7"},{"vulnerability":"VCID-4hp7-5eyr-ukge"},{"vulnerability":"VCID-w4zq-t3s1-vqhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@2.3.1"}],"aliases":["CVE-2021-26539","GHSA-rjqq-98f6-6j3r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hcm4-42et-t7hy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47357?format=json","vulnerability_id":"VCID-v5ap-7sg3-w3aw","summary":"Cross-Site Scripting in sanitize-html\nAffected versions of `sanitize-html` are vulnerable to cross-site scripting when allowedTags includes at least one `nonTextTag`.\n\n## Proof of Concept\n\n```js\nvar sanitizeHtml = require('sanitize-html');\n\nvar dirty = '!<textarea>&lt;/textarea&gt;<svg/onload=prompt`xs`&gt;</textarea>!';\nvar clean = sanitizeHtml(dirty, {\n    allowedTags: [ 'textarea' ]\n});\n\nconsole.log(clean);\n\n// !<textarea></textarea><svg/onload=prompt`xs`></textarea>!\n```\n\n\n## Recommendation\n\nUpdate to version 1.11.4 or later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16016","reference_id":"","reference_type":"","scores":[{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.52255","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16016"},{"reference_url":"https://github.com/advisories/GHSA-xc6g-ggrc-qq4r","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xc6g-ggrc-qq4r"},{"reference_url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403"},{"reference_url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))"},{"reference_url":"https://github.com/punkave/sanitize-html/issues/100","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/punkave/sanitize-html/issues/100"},{"reference_url":"https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16016","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16016"},{"reference_url":"https://www.npmjs.com/advisories/154","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/154"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/369536?format=json","purl":"pkg:npm/sanitize-html@1.11.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qdt-uasq-v7e7"},{"vulnerability":"VCID-4hp7-5eyr-ukge"},{"vulnerability":"VCID-7xft-898y-eff2"},{"vulnerability":"VCID-h373-vdqp-dbds"},{"vulnerability":"VCID-hcm4-42et-t7hy"},{"vulnerability":"VCID-w4zq-t3s1-vqhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.11.2"},{"url":"http://public2.vulnerablecode.io/api/packages/82395?format=json","purl":"pkg:npm/sanitize-html@1.11.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qdt-uasq-v7e7"},{"vulnerability":"VCID-4hp7-5eyr-ukge"},{"vulnerability":"VCID-h373-vdqp-dbds"},{"vulnerability":"VCID-hcm4-42et-t7hy"},{"vulnerability":"VCID-w4zq-t3s1-vqhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.11.4"}],"aliases":["CVE-2017-16016","GHSA-xc6g-ggrc-qq4r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v5ap-7sg3-w3aw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41351?format=json","vulnerability_id":"VCID-w4zq-t3s1-vqhv","summary":"sanitize-html: insecure global regular expression replacement logic may lead to ReDoS","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25887.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25887.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25887","reference_id":"","reference_type":"","scores":[{"value":"0.00447","scoring_system":"epss","scoring_elements":"0.63805","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25887"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c"},{"reference_url":"https://github.com/apostrophecms/sanitize-html/pull/557","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/sanitize-html/pull/557"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25887","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25887"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019219","reference_id":"1019219","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019219"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2123376","reference_id":"2123376","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2123376"},{"reference_url":"https://github.com/advisories/GHSA-cgfm-xwp7-2cvr","reference_id":"GHSA-cgfm-xwp7-2cvr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cgfm-xwp7-2cvr"},{"reference_url":"https://usn.ubuntu.com/7464-1/","reference_id":"USN-7464-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7464-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/87359?format=json","purl":"pkg:npm/sanitize-html@2.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4hp7-5eyr-ukge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@2.7.1"}],"aliases":["CVE-2022-25887","GHSA-cgfm-xwp7-2cvr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w4zq-t3s1-vqhv"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sanitize-html@1.1.3"}