Cyber Resilience

CVE-2026-33979

HighPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0038 29.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33979 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Express Xss Sanitizer Project Express Xss Sanitizer. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-33979 affects Express XSS Sanitizer, a middleware for Express 4.x and 5.x applications that sanitizes user input from req.body, req.query, req.headers, and req.params to prevent cross-site scripting (XSS) attacks. In versions prior to 2.0.2, the middleware silently ignores restrictive sanitization configurations, such as explicitly provided empty allowedTags or allowedAttributes options. This flaw, linked to CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-183 (Permissive List of Allowed Inputs), carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N), indicating high severity due to its potential for integrity compromise.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity by submitting malicious input through the sanitized request parameters. The ignored configurations allow harmful HTML and JavaScript to bypass sanitization via the underlying sanitize-html library, enabling XSS execution in the application's output. This results in low confidentiality impact but high integrity impact, as attackers could steal session cookies, perform actions on behalf of users, or deface content, depending on the application's rendering of sanitized data.

The GitHub security advisory (GHSA-3843-rr4g-m8jq), release notes for v2.0.2, and related commit (5623009ef11dcf095c163a38dea07b9cc22ad19f) detail the fix: version 2.0.2 updates validation logic to honor explicitly provided empty configurations, passing allowedTags or allowedAttributes directly to sanitize-html without overrides. Security practitioners should upgrade to Express XSS Sanitizer 2.0.2 or later and review configurations to ensure restrictive sanitization is enforced as intended.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization…

more

configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1491.002 External Defacement Impact
An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users.
Why these techniques?

Vulnerability in public-facing Express middleware directly enables remote exploitation (T1190) via unsanitized input; resulting XSS supports session cookie theft/hijacking (T1185) and content defacement (T1491.002) as described in the advisory.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22320Shared CWE-79
CVE-2015-20118Shared CWE-79
CVE-2025-23846Shared CWE-79
CVE-2026-2936Shared CWE-79
CVE-2025-24620Shared CWE-79
CVE-2026-30862Shared CWE-79
CVE-2025-15055Shared CWE-79
CVE-2025-67932Shared CWE-79
CVE-2025-28928Shared CWE-79
CVE-2025-13504Shared CWE-79

Affected Assets

express xss sanitizer project
express xss sanitizer
≤ 2.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of the Express XSS Sanitizer to version 2.0.2 or later, directly fixing the issue of silently ignored restrictive sanitization configurations.

prevent

Information input validation ensures user inputs from req.body, req.query, req.headers, and req.params are properly sanitized against XSS payloads, addressing the core failure in the vulnerable middleware.

prevent

Information output filtering applies encoding or sanitization to rendered outputs, preventing XSS execution even if malicious inputs bypass the flawed input sanitization.

References