CVE-2026-25543 is a vulnerability classified under CWE-116 (Improper Encoding or Escaping of Output) affecting the mganss HtmlSanitizer library, a widely used .NET component designed to clean HTML fragments and documents to prevent XSS attacks. The flaw exists in versions prior to 9.0.892 and 9.1.893-beta, where if the <template> HTML tag is allowed by the sanitizer configuration, its contents are not sanitized. The <template> tag is unique in that its contents do not render directly in the DOM unless the shadowrootmode attribute is set to 'open' or 'closed', which activates the shadow DOM and can cause the embedded scripts or malicious content to execute. Because the sanitizer fails to clean the inner content of this tag, attackers can inject malicious scripts that bypass the sanitization process, leading to potential XSS attacks. The vulnerability does not require authentication or user interaction and can be exploited remotely by submitting crafted HTML content to applications using vulnerable versions of HtmlSanitizer. The issue has been addressed in versions 9.0.892 and 9.1.893-beta by ensuring proper sanitization of the <template> tag contents. The CVSS 4.0 base score is 6.3, indicating a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. No known exploits have been reported in the wild, but the risk remains significant for applications that rely on HtmlSanitizer to clean untrusted HTML input.

For European organizations, this vulnerability poses a risk primarily to web applications that incorporate user-generated or third-party HTML content and rely on the mganss HtmlSanitizer library for sanitization. Successful exploitation can lead to cross-site scripting (XSS) attacks, which may result in session hijacking, credential theft, unauthorized actions on behalf of users, or distribution of malware. This compromises confidentiality and integrity of user data and can damage organizational reputation. The vulnerability's exploitation does not require user interaction or authentication, increasing the risk of automated or large-scale attacks. Organizations in sectors such as finance, healthcare, and government, which handle sensitive data and have strict compliance requirements under GDPR, may face regulatory and legal consequences if exploited. Additionally, the presence of the shadow DOM feature in modern browsers increases the attack surface, making this vulnerability relevant in contemporary web environments. The medium severity score reflects a moderate but non-negligible threat that should be addressed promptly to prevent potential exploitation.

To mitigate this vulnerability, organizations should immediately upgrade all instances of mganss HtmlSanitizer to version 9.0.892 or later, or 9.1.893-beta or later, where the issue is patched. Review and audit all web applications that sanitize HTML content to identify usage of the <template> tag and ensure it is either disallowed or properly sanitized. Implement strict Content Security Policies (CSP) to restrict script execution and reduce the impact of potential XSS attacks. Conduct thorough input validation and output encoding beyond relying solely on HtmlSanitizer, especially for user-generated content. Monitor web application logs and security alerts for unusual activity that may indicate attempted exploitation. Educate developers about the risks associated with the <template> tag and shadow DOM features in the context of sanitization. Finally, consider employing runtime application self-protection (RASP) or web application firewalls (WAF) with rules tailored to detect and block XSS payloads targeting this vulnerability.