Improper Encoding or Escaping of Output in sanitize-html | CVE-2026-45011

Q: How to fix?

Upgrade sanitize-html to version 2.17.4 or higher.

Introduced: 14 May 2026

NewCVE-2026-45011 (opens in a new tab) CWE-116 (opens in a new tab) CWE-79 (opens in a new tab)

How to fix?

Upgrade sanitize-html to version 2.17.4 or higher.

Overview

sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the linkHref field handling. An attacker can execute arbitrary JavaScript by supplying a javascript: URL in an image widget's link URL field and having it rendered on the page. This affects users who can edit content and allows an attacker to run a script in viewers’ browsers, exposing session data and enabling unauthorized actions on the affected site.

Workaround

Restrict who can edit or publish image widgets so untrusted users cannot set the Link to field to a javascript: URL; this prevents stored XSS from being published to pages viewed by others.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
Passive

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
Low
Integrity (SI)
Low
Availability (SA)
None

Improper Encoding or Escaping of Output Affecting sanitize-html package, versions <2.17.4

Severity

Do your applications use this vulnerable package?