# [CRIT] [GHSA / CRITICAL] CVE-2026-44990: Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

**Source:** GitHub Security Advisories
**Published:** 2026-05-14
**Article:** https://github.com/advisories/GHSA-rpr9-rxv7-x643

## Threat Profile

Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

### Summary
Under the default configuration, `sanitize-html` can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users.

### Details
In `sanitize-html@2.17.3`, the default `nonTextTags` list includes only `script`,…

## Indicators of Compromise (high-fidelity only)

- **CVE:** `CVE-2026-44990`

## MITRE ATT&CK Techniques

- **T1190** — Exploit Public-Facing Application
- **T1204.002** — User Execution: Malicious File
- **T1059.007** — Command and Scripting Interpreter: JavaScript

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### sanitize-html xmp-tag XSS payload (CVE-2026-44990) in inbound HTTP request

`UC_295_2` · phase: **exploit** · confidence: **Medium** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.url) as url values(Web.http_method) as http_method values(Web.src) as src values(Web.user_agent) as user_agent values(Web.status) as status from datamodel=Web.Web where (Web.url="*<xmp>*" OR Web.url="*<XMP>*" OR Web.url="*%3cxmp%3e*" OR Web.url="*%3CXMP%3E*" OR Web.url="*%3cXmp%3e*") AND (Web.url="*<script*" OR Web.url="*%3cscript*" OR Web.url="*%3Cscript*" OR Web.url="*onerror=*" OR Web.url="*onload=*" OR Web.url="*onclick=*" OR Web.url="*onmouseover=*" OR Web.url="*onerror%3d*" OR Web.url="*onload%3d*") by Web.dest Web.src Web.url Web.http_method Web.status Web.user_agent | `drop_dm_object_name(Web)` | convert ctime(firstTime) ctime(lastTime)
```

**Defender KQL:**
```kql
// Note: covers ONLY URL/query-string reflection. POST bodies are not captured in DeviceNetworkEvents.
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType in ("ConnectionSuccess", "HttpConnectionInspected", "InboundConnectionAccepted")
| where isnotempty(RemoteUrl)
| where RemoteUrl contains "xmp"
| where (RemoteUrl contains "<xmp>" or RemoteUrl contains "<XMP>" or RemoteUrl contains "%3cxmp%3e" or RemoteUrl contains "%3CXMP%3E")
| where (RemoteUrl contains "<script" or RemoteUrl contains "%3cscript" or RemoteUrl contains "%3Cscript" or RemoteUrl contains "onerror=" or RemoteUrl contains "onload=" or RemoteUrl contains "onclick=" or RemoteUrl contains "onerror%3d" or RemoteUrl contains "onload%3d")
| project Timestamp, DeviceName, DeviceId, ActionType, RemoteIP, RemotePort, RemoteUrl,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
```

### Vulnerable sanitize-html <=2.17.3 / Apostrophe CMS asset inventory (CVE-2026-44990)

`UC_295_3` · phase: **recon** · confidence: **High** · AI-generated for this article

**Defender KQL:**
```kql
// Two angles: (1) TVM has indexed the CVE; (2) raw inventory finds vulnerable sanitize-html versions even where the CVE feed lags.
let _vuln_versions = dynamic(["2.17.0","2.17.1","2.17.2","2.17.3"]);
union isfuzzy=true
(
  DeviceTvmSoftwareVulnerabilities
  | where CveId == "CVE-2026-44990"
  | project Timestamp, DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, Signal="TVM-CVE"
),
(
  DeviceTvmSoftwareInventory
  | where SoftwareName has_any ("sanitize-html","apostrophe","apostrophecms")
  | where SoftwareVersion in (_vuln_versions) or (SoftwareName has "sanitize-html" and SoftwareVersion startswith "2.17." and SoftwareVersion !in ("2.17.4","2.17.5"))
  | project Timestamp, DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel="-", RecommendedSecurityUpdate="Upgrade sanitize-html >=2.17.4 / Apostrophe latest", Signal="Inventory-Match"
)
| order by DeviceName asc
```

### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-44990: Apostrophe has default XSS via `xmp` raw-text

`UC_295_1` · phase: **exploit** · confidence: **High**

**Splunk SPL (CIM):**
```spl
``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-44990: Apostrophe has default XSS via `xmp` raw-text ```
| tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime
    from datamodel=Endpoint.Processes
    where (Processes.process_name IN ("index.js","node.js"))
    by Processes.dest, Processes.user, Processes.process_name,
       Processes.process, Processes.parent_process_name, Processes.process_path
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| append [
| tstats `summariesonly` count
    from datamodel=Endpoint.Filesystem
    where Filesystem.action IN ("created","modified")
      AND (Filesystem.file_name IN ("index.js","node.js"))
    by Filesystem.dest, Filesystem.user, Filesystem.process_name,
       Filesystem.file_path, Filesystem.file_name
| `drop_dm_object_name(Filesystem)`
]
```

**Defender KQL:**
```kql
// Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-44990: Apostrophe has default XSS via `xmp` raw-text
// Hunts the actual binaries / paths / commandline fragments named
// in the article instead of a generic technique-class template.
DeviceProcessEvents
| where Timestamp > ago(30d)
| where (FileName in~ ("index.js", "node.js"))
| project Timestamp, DeviceName, AccountName, FileName,
          FolderPath, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

// File-creation events for the named binaries / paths
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType in ("FileCreated","FileModified")
| where (FileName in~ ("index.js", "node.js"))
| project Timestamp, DeviceName, AccountName, FolderPath,
          FileName, ActionType, InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc
```

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High**
  - CVE(s): `CVE-2026-44990`


## Why this matters

Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 3 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.