CVE-2026-33979
Published: 27 March 2026
Summary
CVE-2026-33979 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Express Xss Sanitizer Project Express Xss Sanitizer. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires timely patching of the Express XSS Sanitizer to version 2.0.2 or later, directly fixing the issue of silently ignored restrictive sanitization configurations.
Information input validation ensures user inputs from req.body, req.query, req.headers, and req.params are properly sanitized against XSS payloads, addressing the core failure in the vulnerable middleware.
Information output filtering applies encoding or sanitization to rendered outputs, preventing XSS execution even if malicious inputs bypass the flawed input sanitization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Express middleware directly enables remote exploitation (T1190) via unsanitized input; resulting XSS supports session cookie theft/hijacking (T1185) and content defacement (T1491.002) as described in the advisory.
NVD Description
Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization…
more
configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.
Deeper analysisAI
CVE-2026-33979 affects Express XSS Sanitizer, a middleware for Express 4.x and 5.x applications that sanitizes user input from req.body, req.query, req.headers, and req.params to prevent cross-site scripting (XSS) attacks. In versions prior to 2.0.2, the middleware silently ignores restrictive sanitization configurations, such as explicitly provided empty allowedTags or allowedAttributes options. This flaw, linked to CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-183 (Permissive List of Allowed Inputs), carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N), indicating high severity due to its potential for integrity compromise.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity by submitting malicious input through the sanitized request parameters. The ignored configurations allow harmful HTML and JavaScript to bypass sanitization via the underlying sanitize-html library, enabling XSS execution in the application's output. This results in low confidentiality impact but high integrity impact, as attackers could steal session cookies, perform actions on behalf of users, or deface content, depending on the application's rendering of sanitized data.
The GitHub security advisory (GHSA-3843-rr4g-m8jq), release notes for v2.0.2, and related commit (5623009ef11dcf095c163a38dea07b9cc22ad19f) detail the fix: version 2.0.2 updates validation logic to honor explicitly provided empty configurations, passing allowedTags or allowedAttributes directly to sanitize-html without overrides. Security practitioners should upgrade to Express XSS Sanitizer 2.0.2 or later and review configurations to ensure restrictive sanitization is enforced as intended.
Details
- CWE(s)