Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-25543

HtmlSanitizer has a bypass via template tag
Back to all
CVE

CVE-2026-25543

HtmlSanitizer has a bypass via template tag

Impact

If the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its contents, unless the shadowrootmode attribute is set to open or closed

The lack of sanitization of the template tag brings up two bypasses:

  1. it is still possible to forcibly render the contents of a <template> tag through mutation XSS. The DOM parsers in browsers such as Chromium have a node depth limit of 512 and tags which are beyond that depth are flattened. This in turn allows elements within <template> (which are not sanitized) to be effectively 'popped out'. An example would look like this: <div>[...]<template><script>alert('xss')</script> where [...] denotes at least another 509 opening <div> tags.
  2. If in addition to the template tag, the shadowrootmode attribute is allowed through sanitizer.AllowedAttributes.Add("shadowrootmode");, the simple payload of <div><template shadowrootmode="open"><script>alert('xss')</script> would bypass the sanitizer. This is because such usage of <template> attaches a shadow root to its parent: <div>, and its contents will be rendered. 

Note that the default configuration is not affected because the template tag is disallowed by default.

Patches

The problem has been patched in versions 9.0.892 and 9.1.893-beta.

Workarounds

Disallow the template tag. It is disallowed by default.

Resources

https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/template

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
6.3
-
4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
7.2
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Related Resources

No items found.

References

https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-j92c-7v7g-gj3f, https://nvd.nist.gov/vuln/detail/CVE-2026-25543, https://github.com/mganss/HtmlSanitizer/commit/0ac53dca30ddad963f2b243669a5066933d82b81, https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/template, https://github.com/mganss/HtmlSanitizer, https://github.com/mganss/HtmlSanitizer/releases/tag/v9.0.892, https://www.nuget.org/packages/HtmlSanitizer/9.0.892, https://www.nuget.org/packages/HtmlSanitizer/9.1.893-beta

Severity

7.2

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.2
EPSS Probability
0.00045%
EPSS Percentile
0.13533%
Introduced Version
0,8.0.601,9.1.878-beta,5.0.218-beta,5.0.215-beta,4.0.217,3.3.129-beta,3.2.103,3.2.96-beta,3.0.5781.31354-beta,3.0.66-beta
Fix Available
9.0.892,9.1.893-beta

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading