Search criteria
3 vulnerabilities by mganss
CVE-2026-25543 (GCVE-0-2026-25543)
Vulnerability from cvelistv5 – Published: 2026-02-04 21:45 – Updated: 2026-02-04 21:45
VLAI?
Title
HtmlSanitizer has a bypass via template tag
Summary
HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its contents, unless the shadowrootmode attribute is set to open or closed. This issue has been patched in versions 9.0.892 and 9.1.893-beta.
Severity ?
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mganss | HtmlSanitizer |
Affected:
< 9.0.892
Affected: < 9.1.893-beta |
{
"containers": {
"cna": {
"affected": [
{
"product": "HtmlSanitizer",
"vendor": "mganss",
"versions": [
{
"status": "affected",
"version": "\u003c 9.0.892"
},
{
"status": "affected",
"version": "\u003c 9.1.893-beta"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its contents, unless the shadowrootmode attribute is set to open or closed. This issue has been patched in versions 9.0.892 and 9.1.893-beta."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:45:25.665Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-j92c-7v7g-gj3f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-j92c-7v7g-gj3f"
},
{
"name": "https://github.com/mganss/HtmlSanitizer/commit/0ac53dca30ddad963f2b243669a5066933d82b81",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mganss/HtmlSanitizer/commit/0ac53dca30ddad963f2b243669a5066933d82b81"
},
{
"name": "https://www.nuget.org/packages/HtmlSanitizer/9.0.892",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.nuget.org/packages/HtmlSanitizer/9.0.892"
},
{
"name": "https://www.nuget.org/packages/HtmlSanitizer/9.1.893-beta",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.nuget.org/packages/HtmlSanitizer/9.1.893-beta"
}
],
"source": {
"advisory": "GHSA-j92c-7v7g-gj3f",
"discovery": "UNKNOWN"
},
"title": "HtmlSanitizer has a bypass via template tag"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25543",
"datePublished": "2026-02-04T21:45:25.665Z",
"dateReserved": "2026-02-02T19:59:47.375Z",
"dateUpdated": "2026-02-04T21:45:25.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-44390 (GCVE-0-2023-44390)
Vulnerability from cvelistv5 – Published: 2023-10-05 13:41 – Updated: 2024-09-19 17:32
VLAI?
Title
HtmlSanitizer vulnerable to Cross-site Scripting in Foreign Content
Summary
HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. The vulnerability occurs in configurations where foreign content is allowed, i.e. either `svg` or `math` are in the list of allowed elements. In the case an application sanitizes user input with a vulnerable configuration, an attacker could bypass the sanitization and inject arbitrary HTML, including JavaScript code. Note that in the default configuration the vulnerability is not present. The vulnerability has been fixed in versions 8.0.723 and 8.1.722-beta (preview version).
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mganss | HtmlSanitizer |
Affected:
< 8.0.723
Affected: >= 8.1.0-beta, < 8.1.722-beta |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:33.110Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-43cp-6p3q-2pc4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-43cp-6p3q-2pc4"
},
{
"name": "https://github.com/mganss/HtmlSanitizer/commit/ab29319866c020f0cc11e6b92228cd8039196c6e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mganss/HtmlSanitizer/commit/ab29319866c020f0cc11e6b92228cd8039196c6e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44390",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T17:31:53.657681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T17:32:06.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "HtmlSanitizer",
"vendor": "mganss",
"versions": [
{
"status": "affected",
"version": "\u003c 8.0.723"
},
{
"status": "affected",
"version": "\u003e= 8.1.0-beta, \u003c 8.1.722-beta"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. The vulnerability occurs in configurations where foreign content is allowed, i.e. either `svg` or `math` are in the list of allowed elements. In the case an application sanitizes user input with a vulnerable configuration, an attacker could bypass the sanitization and inject arbitrary HTML, including JavaScript code. Note that in the default configuration the vulnerability is not present. The vulnerability has been fixed in versions 8.0.723 and 8.1.722-beta (preview version)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-05T13:41:20.387Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-43cp-6p3q-2pc4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-43cp-6p3q-2pc4"
},
{
"name": "https://github.com/mganss/HtmlSanitizer/commit/ab29319866c020f0cc11e6b92228cd8039196c6e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mganss/HtmlSanitizer/commit/ab29319866c020f0cc11e6b92228cd8039196c6e"
}
],
"source": {
"advisory": "GHSA-43cp-6p3q-2pc4",
"discovery": "UNKNOWN"
},
"title": "HtmlSanitizer vulnerable to Cross-site Scripting in Foreign Content"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-44390",
"datePublished": "2023-10-05T13:41:20.387Z",
"dateReserved": "2023-09-28T17:56:32.613Z",
"dateUpdated": "2024-09-19T17:32:06.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26293 (GCVE-0-2020-26293)
Vulnerability from cvelistv5 – Published: 2021-01-04 18:20 – Updated: 2024-08-04 15:56
VLAI?
Title
Possible XSS bypass if style tag is allowed
Summary
HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer before version 5.0.372, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the `<style>` tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the `<style>` tag so there is no risk if you have not explicitly allowed the `<style>` tag. The problem has been fixed in version 5.0.372.
Severity ?
6.1 (Medium)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mganss | HtmlSanitizer |
Affected:
< 5.0.372
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:03.977Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-8j9v-h2vp-2hhv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.nuget.org/packages/HtmlSanitizer/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mganss/HtmlSanitizer/releases/tag/v5.0.372"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mganss/HtmlSanitizer/commit/a3a7602a44d4155d51ec0fbbedc2a49e9c7e2eb8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "HtmlSanitizer",
"vendor": "mganss",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.372"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer before version 5.0.372, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the `\u003cstyle\u003e` tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the `\u003cstyle\u003e` tag so there is no risk if you have not explicitly allowed the `\u003cstyle\u003e` tag. The problem has been fixed in version 5.0.372."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-04T18:20:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-8j9v-h2vp-2hhv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.nuget.org/packages/HtmlSanitizer/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mganss/HtmlSanitizer/releases/tag/v5.0.372"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mganss/HtmlSanitizer/commit/a3a7602a44d4155d51ec0fbbedc2a49e9c7e2eb8"
}
],
"source": {
"advisory": "GHSA-8j9v-h2vp-2hhv",
"discovery": "UNKNOWN"
},
"title": "Possible XSS bypass if style tag is allowed",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26293",
"STATE": "PUBLIC",
"TITLE": "Possible XSS bypass if style tag is allowed"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HtmlSanitizer",
"version": {
"version_data": [
{
"version_value": "\u003c 5.0.372"
}
]
}
}
]
},
"vendor_name": "mganss"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer before version 5.0.372, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the `\u003cstyle\u003e` tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the `\u003cstyle\u003e` tag so there is no risk if you have not explicitly allowed the `\u003cstyle\u003e` tag. The problem has been fixed in version 5.0.372."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-8j9v-h2vp-2hhv",
"refsource": "CONFIRM",
"url": "https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-8j9v-h2vp-2hhv"
},
{
"name": "https://www.nuget.org/packages/HtmlSanitizer/",
"refsource": "MISC",
"url": "https://www.nuget.org/packages/HtmlSanitizer/"
},
{
"name": "https://github.com/mganss/HtmlSanitizer/releases/tag/v5.0.372",
"refsource": "MISC",
"url": "https://github.com/mganss/HtmlSanitizer/releases/tag/v5.0.372"
},
{
"name": "https://github.com/mganss/HtmlSanitizer/commit/a3a7602a44d4155d51ec0fbbedc2a49e9c7e2eb8",
"refsource": "MISC",
"url": "https://github.com/mganss/HtmlSanitizer/commit/a3a7602a44d4155d51ec0fbbedc2a49e9c7e2eb8"
}
]
},
"source": {
"advisory": "GHSA-8j9v-h2vp-2hhv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26293",
"datePublished": "2021-01-04T18:20:14",
"dateReserved": "2020-10-01T00:00:00",
"dateUpdated": "2024-08-04T15:56:03.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}