{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25543", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T19:59:47.375Z", "datePublished": "2026-02-04T21:45:25.665Z", "dateUpdated": "2026-02-05T18:24:09.842Z"}, "containers": {"cna": {"title": "HtmlSanitizer has a bypass via template tag", "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-j92c-7v7g-gj3f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-j92c-7v7g-gj3f"}, {"name": "https://github.com/mganss/HtmlSanitizer/commit/0ac53dca30ddad963f2b243669a5066933d82b81", "tags": ["x_refsource_MISC"], "url": "https://github.com/mganss/HtmlSanitizer/commit/0ac53dca30ddad963f2b243669a5066933d82b81"}, {"name": "https://www.nuget.org/packages/HtmlSanitizer/9.0.892", "tags": ["x_refsource_MISC"], "url": "https://www.nuget.org/packages/HtmlSanitizer/9.0.892"}, {"name": "https://www.nuget.org/packages/HtmlSanitizer/9.1.893-beta", "tags": ["x_refsource_MISC"], "url": "https://www.nuget.org/packages/HtmlSanitizer/9.1.893-beta"}], "affected": [{"vendor": "mganss", "product": "HtmlSanitizer", "versions": [{"version": "< 9.0.892", "status": "affected"}, {"version": "< 9.1.893-beta", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T21:45:25.665Z"}, "descriptions": [{"lang": "en", "value": "HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its contents, unless the shadowrootmode attribute is set to open or closed. This issue has been patched in versions 9.0.892 and 9.1.893-beta."}], "source": {"advisory": "GHSA-j92c-7v7g-gj3f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T18:24:02.525697Z", "id": "CVE-2026-25543", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T18:24:09.842Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25543", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T18:24:02.525697Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T18:24:05.969Z"}}], "cna": {"title": "HtmlSanitizer has a bypass via template tag", "source": {"advisory": "GHSA-j92c-7v7g-gj3f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "mganss", "product": "HtmlSanitizer", "versions": [{"status": "affected", "version": "< 9.0.892"}, {"status": "affected", "version": "< 9.1.893-beta"}]}], "references": [{"url": "https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-j92c-7v7g-gj3f", "name": "https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-j92c-7v7g-gj3f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mganss/HtmlSanitizer/commit/0ac53dca30ddad963f2b243669a5066933d82b81", "name": "https://github.com/mganss/HtmlSanitizer/commit/0ac53dca30ddad963f2b243669a5066933d82b81", "tags": ["x_refsource_MISC"]}, {"url": "https://www.nuget.org/packages/HtmlSanitizer/9.0.892", "name": "https://www.nuget.org/packages/HtmlSanitizer/9.0.892", "tags": ["x_refsource_MISC"]}, {"url": "https://www.nuget.org/packages/HtmlSanitizer/9.1.893-beta", "name": "https://www.nuget.org/packages/HtmlSanitizer/9.1.893-beta", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its contents, unless the shadowrootmode attribute is set to open or closed. This issue has been patched in versions 9.0.892 and 9.1.893-beta."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T21:45:25.665Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25543", "state": "PUBLISHED", "dateUpdated": "2026-02-05T18:24:09.842Z", "dateReserved": "2026-02-02T19:59:47.375Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T21:45:25.665Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:htmlsanitizer_project:htmlsanitizer:*:*:*:*:*:*:*:*", "matchCriteriaId": "50E4C6AE-4885-4C25-AECC-7DFC84B02DE1", "versionEndExcluding": "9.0.892", "vulnerable": true}, {"criteria": "cpe:2.3:a:htmlsanitizer_project:htmlsanitizer:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D85EA7A-1B11-4EAA-AE6A-C008831A68A4", "versionEndExcluding": "9.1.893", "versionStartIncluding": "9.1.878", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its contents, unless the shadowrootmode attribute is set to open or closed. This issue has been patched in versions 9.0.892 and 9.1.893-beta."}, {"lang": "es", "value": "HtmlSanitizer es una librer\u00eda.NET para limpiar fragmentos y documentos HTML de construcciones que pueden llevar a ataques XSS. Antes de las versiones 9.0.892 y 9.1.893-beta, si la etiqueta template est\u00e1 permitida, su contenido no se sanitiza. La etiqueta template es una etiqueta especial que normalmente no renderiza su contenido, a menos que el atributo shadowrootmode est\u00e9 configurado como open o closed. Este problema ha sido parcheado en las versiones 9.0.892 y 9.1.893-beta."}], "id": "CVE-2026-25543", "lastModified": "2026-02-24T21:29:57.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-04T22:16:00.523", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mganss/HtmlSanitizer/commit/0ac53dca30ddad963f2b243669a5066933d82b81"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-j92c-7v7g-gj3f"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://www.nuget.org/packages/HtmlSanitizer/9.0.892"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://www.nuget.org/packages/HtmlSanitizer/9.1.893-beta"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:08:56.993616+00:00", "value": {"mitigation_remediation": ["Upgrade HtmlSanitizer to version 9.0.892 or later from the official NuGet repository.", "If using the 9.1.893\u2011beta release, upgrade to the latest stable build (9.1.893\u2011beta or newer).", "If an upgrade is not immediately feasible, disable template tag support in the application configuration to prevent the unsanitized content from being processed."], "summary": {"action": "Apply patch", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The flaw affects the HtmlSanitizer project from mganss. Versions before 9.0.892 and before 9.1.893\u2011beta are vulnerable. Any .NET application that references the vulnerable NuGet packages or includes the library in its code base is at risk. The vulnerability is present only when the template tag is explicitly enabled and the shadowrootmode attribute is not correctly restricted.", "description_and_impact": "HtmlSanitizer is a .NET library designed to sanitize HTML fragments. The vulnerability allows an attacker to inject malicious content inside a template tag that is not sanitized when the tag is permitted. Because the template tag can contain executable markup that becomes visible only when the shadowrootmode attribute is set to open or closed, an attacker can trigger a cross\u2011site scripting attack. This flaw is rooted in improper input validation (CWE\u201179) and improper encoding (CWE\u2011116).", "risk_and_exploitability": "The CVSS score of 6.3 indicates a medium severity potential compromise of confidentiality and integrity through client\u2011side code execution. The EPSS probability is less than 1%, suggesting exploitation is unlikely but still possible in targeted attacks. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector would be a client\u2011side injection via a malicious web page that includes the library, so it requires the application to process untrusted input. Because the flaw resides in content rendering logic, an attacker must have a way to supply material that is parsed by HtmlSanitizer."}}}}, "created": "2026-02-05T11:39:50.900121+00:00", "updated": "2026-04-17T23:15:30.803632+00:00", "vendors": ["mganss", "mganss$PRODUCT$htmlsanitizer"]}