CVE-2025-66021

High CVSS: 8.6

OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available.

Vendor

Owasp

Product

Java Html Sanitizer

CWE

CWE-79

Yayın Tarihi

2025-11-26 02:15:49

Güncelleme

2025-12-30 16:34:34

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Java Html Sanitizer HIGH Owasp 2025

Referanslar

https://github.com/OWASP/java-html-sanitizer/security/advisories/GHSA-g9gq-3pfx-2gw2 https://github.com/OWASP/java-html-sanitizer/security/advisories/GHSA-g9gq-3pfx-2gw2

Benzer Kayıtlar

Medium

CVE-2026-33691

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewal…

Medium

CVE-2026-3816

A security vulnerability has been detected in OWASP DefectDojo up to 2.55.4. This vulnerability affects the function inp…

Critical

CVE-2026-21876

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewal…

Critical

CVE-2025-66022

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution pa…

Medium

CVE-2025-54571

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versio…

High

CVE-2025-48866

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions…