CVE-2026-25543 is a vulnerability in the mganss HtmlSanitizer library, a .NET tool used to clean HTML fragments and documents to prevent XSS attacks. The issue stems from improper encoding or escaping of output (CWE-116) specifically related to the handling of the HTML <template> tag. Prior to versions 9.0.892 and 9.1.893-beta, if the <template> tag is allowed in the sanitized HTML, its contents are not sanitized because the tag is designed not to render its contents unless the shadowrootmode attribute is set to 'open' or 'closed'. This oversight allows malicious scripts embedded inside the <template> tag to bypass sanitization and potentially execute in the context of the victim’s browser, leading to cross-site scripting attacks. The vulnerability is exploitable remotely without authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score of 6.3 reflects a medium severity, considering the network attack vector, low attack complexity, and no privileges or user interaction required. The scope is limited to applications that allow the <template> tag and use vulnerable HtmlSanitizer versions. No known exploits have been reported in the wild, but the issue has been addressed in the patched versions 9.0.892 and 9.1.893-beta. Organizations relying on this library for HTML sanitization should prioritize upgrading and reviewing their sanitization policies regarding the <template> tag.

For European organizations, this vulnerability poses a risk primarily to web applications and services that utilize the mganss HtmlSanitizer library for HTML content sanitization. Successful exploitation could lead to cross-site scripting (XSS) attacks, enabling attackers to execute arbitrary scripts in users’ browsers. This can result in theft of sensitive information such as session tokens, user credentials, or personal data, violating GDPR and other data protection regulations. It could also allow attackers to manipulate web content or perform actions on behalf of users, undermining data integrity and trust. The vulnerability’s remote exploitability without authentication increases the attack surface, especially for public-facing applications. Industries with high regulatory scrutiny and sensitive data, such as finance, healthcare, and government sectors, are particularly at risk. Additionally, reputational damage and potential legal consequences could arise from breaches caused by this vulnerability.

1. Upgrade all instances of mganss HtmlSanitizer to version 9.0.892 or later (including 9.1.893-beta) to apply the official patch addressing this vulnerability. 2. Audit existing codebases to identify usage of the <template> tag within sanitized HTML and assess whether it is necessary to allow this tag. 3. If the <template> tag is required, implement additional custom sanitization or validation to ensure its contents do not contain executable scripts or malicious payloads. 4. Employ Content Security Policy (CSP) headers to restrict script execution and reduce the impact of potential XSS attacks. 5. Conduct thorough security testing, including static analysis and dynamic scanning, focusing on HTML sanitization and injection points. 6. Educate developers on secure handling of HTML content and the risks associated with improper sanitization of special tags like <template>. 7. Monitor security advisories for updates or new exploits related to HtmlSanitizer and respond promptly.