CVE-2026-33979: CWE-183: Permissive List of Allowed Inputs in AhmedAdelFahim express-xss-sanitizer
Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.
AI Analysis
Technical Summary
The express-xss-sanitizer middleware sanitizes user input in Express applications to prevent Cross-Site Scripting (XSS) attacks. In versions before 2.0.2, if restrictive sanitization configurations such as allowedTags or allowedAttributes were provided, they were silently ignored, resulting in a permissive sanitization policy that could allow malicious input to pass through. Version 2.0.2 fixes this by ensuring that explicitly provided empty configurations are respected and passed directly to the underlying sanitize-html library, thereby enforcing the intended sanitization rules. This vulnerability is identified as CVE-2026-33979 and has a CVSS 3.1 score of 8.2, indicating high severity due to its network attack vector, low attack complexity, no privileges required, no user interaction, and impact on confidentiality and integrity.
Potential Impact
The vulnerability allows potentially malicious input to bypass intended sanitization controls, increasing the risk of Cross-Site Scripting (XSS) attacks. This can lead to unauthorized script execution in the context of affected web applications, compromising data confidentiality and integrity. There is no indication of availability impact. No known exploits have been reported in the wild as of the provided data.
Mitigation Recommendations
Users of express-xss-sanitizer should upgrade to version 2.0.2 or later, where the sanitization logic correctly respects restrictive configurations. Since no official patch links or vendor advisories are provided, users should verify the version in use and apply the update accordingly. Patch status is not explicitly confirmed beyond the version mention, so users should consult the official project repository or vendor advisory for the latest remediation guidance.
CVE-2026-33979: CWE-183: Permissive List of Allowed Inputs in AhmedAdelFahim express-xss-sanitizer
Description
Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The express-xss-sanitizer middleware sanitizes user input in Express applications to prevent Cross-Site Scripting (XSS) attacks. In versions before 2.0.2, if restrictive sanitization configurations such as allowedTags or allowedAttributes were provided, they were silently ignored, resulting in a permissive sanitization policy that could allow malicious input to pass through. Version 2.0.2 fixes this by ensuring that explicitly provided empty configurations are respected and passed directly to the underlying sanitize-html library, thereby enforcing the intended sanitization rules. This vulnerability is identified as CVE-2026-33979 and has a CVSS 3.1 score of 8.2, indicating high severity due to its network attack vector, low attack complexity, no privileges required, no user interaction, and impact on confidentiality and integrity.
Potential Impact
The vulnerability allows potentially malicious input to bypass intended sanitization controls, increasing the risk of Cross-Site Scripting (XSS) attacks. This can lead to unauthorized script execution in the context of affected web applications, compromising data confidentiality and integrity. There is no indication of availability impact. No known exploits have been reported in the wild as of the provided data.
Mitigation Recommendations
Users of express-xss-sanitizer should upgrade to version 2.0.2 or later, where the sanitization logic correctly respects restrictive configurations. Since no official patch links or vendor advisories are provided, users should verify the version in use and apply the update accordingly. Patch status is not explicitly confirmed beyond the version mention, so users should consult the official project repository or vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T22:20:06.210Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c6fa4f3c064ed76ffa5f18
Added to database: 3/27/2026, 9:44:47 PM
Last enriched: 4/4/2026, 10:54:16 AM
Last updated: 5/11/2026, 5:43:25 AM
Views: 65
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.