CVE-2026-33979 | AhmedAdelFahim express-xss-sanitizer up to 2.0.1 req.body/req.query/req.headers/req.params permissive list of allowed inputs (GHSA-3843-rr4g-m8jq)

VDB-354054 · CVE-2026-33979 · GHSA-3843-RR4G-M8JQ AHMEDADELFAHIM EXPRESS-XSS-SANITIZER UP TO 2.0.1 REQ.BODY/REQ.QUERY/REQ.HEADERS/REQ.PARAMS PERMISSIVE LIST OF ALLOWED INPUTS HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 7.6 $0-$5k 4.85- Summaryinfo A vulnerability categorized as critical has been discovered in AhmedAdelFahim express-xss-sanitizer up to 2.0.1. This affects an unknown function. The manipulation of the argument req.body/req.query/req.headers/req.params results in permissive list of allowed inputs. This vulnerability is cataloged as CVE-2026-33979. The attack may be launched remotely. There is no exploit available. It is advisable to upgrade the affected component. Detailsinfo A vulnerability, which was classified as critical, was found in AhmedAdelFahim express-xss-sanitizer up to 2.0.1. Affected is an unknown functionality. The manipulation of the argument req.body/req.query/req.headers/req.params with an unknown input leads to a permissive list of allowed inputs vulnerability. CWE is classifying the issue as CWE-183. The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes: Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden. The advisory is available at github.com. This vulnerability is traded as CVE-2026-33979 since 03/24/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details are known, but there is no available exploit. Upgrading to version 2.0.2 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 5623009ef11dcf095c163a38dea07b9cc22ad19f is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version. Productinfo Vendor AhmedAdelFahim Name express-xss-sanitizer Version 2.0.0 2.0.1 License open-source Website Product: https://github.com/AhmedAdelFahim/express-xss-sanitizer/ CPE 2.3info 🔒 🔒 CPE 2.2info 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 7.7 VulDB Meta Temp Score: 7.6 VulDB Base Score: 7.3 VulDB Temp Score: 7.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 8.2 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Permissive list of allowed inputs CWE: CWE-183 / CWE-20 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: express-xss-sanitizer 2.0.2 Patch: 5623009ef11dcf095c163a38dea07b9cc22ad19f Timelineinfo 03/24/2026 CVE reserved 03/27/2026 +3 days Advisory disclosed 03/27/2026 +0 days VulDB entry created 03/27/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: GHSA-3843-rr4g-m8jq Status: Confirmed CVE: CVE-2026-33979 (🔒) GCVE (CVE): GCVE-0-2026-33979 GCVE (VulDB): GCVE-100-354054 Entryinfo Created: 03/27/2026 23:51 Changes: 03/27/2026 23:51 (67) Complete: 🔍 Cache ID: 99:B95:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸