CVE-2026-25543
EUVD-2026-532804.02.2026, 22:16
HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its contents, unless the shadowrootmode attribute is set to open or closed. This issue has been patched in versions 9.0.892 and 9.1.893-beta.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| htmlsanitizer_project | htmlsanitizer | 𝑥 < 9.0.892 |
| htmlsanitizer_project | htmlsanitizer | 9.1.878 ≤ 𝑥 < 9.1.893 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-116 - Improper Encoding or Escaping of OutputThe software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.