The vulnerability identified as CVE-2026-33979 affects the express-xss-sanitizer middleware used in Express.js applications to sanitize user inputs across req.body, req.query, req.headers, and req.params to prevent Cross-Site Scripting (XSS) attacks. Versions prior to 2.0.2 contain a flaw where restrictive sanitization configurations, specifically those that define allowedTags or allowedAttributes, are silently ignored. This means that even if a developer configures the sanitizer to allow only a limited set of HTML tags or attributes, the middleware fails to enforce these restrictions, resulting in a permissive sanitization policy. Consequently, malicious input containing script tags or event handlers can bypass the sanitizer and be executed in the context of the victim's browser. The root cause lies in the middleware's validation logic, which did not properly respect empty or explicitly set configurations and instead defaulted to a more permissive behavior. In version 2.0.2, this logic was corrected so that any provided configuration, including empty arrays for allowedTags or allowedAttributes, is passed directly to the sanitize-html library, ensuring the intended restrictive sanitization is enforced. The vulnerability is classified under CWE-183 (Permissive List of Allowed Inputs) and CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., XSS). The CVSS v3.1 score is 8.2 (high), reflecting the vulnerability's network attack vector, low attack complexity, no privileges required, no user interaction, and significant impact on integrity and partial impact on confidentiality. Although no known exploits have been reported in the wild, the vulnerability presents a critical risk to web applications relying on this middleware for input sanitization.

The primary impact of this vulnerability is the potential for Cross-Site Scripting (XSS) attacks, which can lead to unauthorized script execution in users' browsers. This compromises the confidentiality and integrity of user data, enabling attackers to steal session tokens, perform actions on behalf of users, or deface web content. Since the vulnerability can be exploited remotely without authentication or user interaction, it poses a significant risk to any web application using affected versions of express-xss-sanitizer. Organizations may face data breaches, loss of user trust, regulatory penalties, and reputational damage. The scope includes all Express.js applications that incorporate express-xss-sanitizer versions prior to 2.0.2, which may be widespread given the popularity of Express.js in web development. The vulnerability does not directly affect availability but can indirectly cause service disruptions through exploitation or remediation efforts.

To mitigate this vulnerability, organizations should immediately upgrade express-xss-sanitizer to version 2.0.2 or later, where the sanitization logic correctly respects restrictive configurations. Developers should audit their sanitization configurations to ensure allowedTags and allowedAttributes are explicitly defined according to the principle of least privilege. It is recommended to implement Content Security Policy (CSP) headers as an additional defense-in-depth measure against XSS. Regular dependency scanning and software composition analysis should be employed to detect vulnerable versions of express-xss-sanitizer in codebases. Additionally, security testing including automated and manual penetration testing should be conducted to verify that input sanitization is effective. Monitoring web application logs for unusual script injection attempts can help detect exploitation attempts early. Finally, educating developers on secure coding practices related to input validation and sanitization is crucial to prevent similar issues.