CVE-2020-26293
MEDIUM6.1EPSS 0.34%XSS in HtmlSanitizer
Published: 1/4/2021Modified: 3/13/2026
Description
### Impact If you have explicitly allowed the `<style>` tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the `<style>` tag so there is no risk if you have not explicitly allowed the `<style>` tag. ### Patches The problem has been fixed in version 5.0.372. ### Workarounds Remove the `<style>` tag from the set of allowed tags. ### For more information If you have any questions or comments about this advisory open an issue in https://github.com/mganss/HtmlSanitizer ### Credits This issue was discovered by Michal Bentkowski of Securitum.
Affected packages (1)
- NuGet/HtmlSanitizerfrom 0, < 5.0.372
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-26293
- WEBhttps://github.com/mganss/HtmlSanitizer/commit/a3a7602a44d4155d51ec0fbbedc2a49e9c7e2eb8
- WEBhttps://github.com/mganss/HtmlSanitizer/releases/tag/v5.0.372
- WEBhttps://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-8j9v-h2vp-2hhv
- WEBhttps://www.nuget.org/packages/HtmlSanitizer