{"id":"CVE-2022-21169","details":"The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.","aliases":["GHSA-grjp-4jmr-mjcw"],"modified":"2026-03-14T11:22:49.812684Z","published":"2022-09-26T05:15:10.133Z","references":[{"type":"REPORT","url":"https://github.com/AhmedAdelFahim/express-xss-sanitizer/issues/4"},{"type":"FIX","url":"https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/3bf8aaaf4dbb1c209dcb8d87a82711a54c1ab39a"},{"type":"FIX","url":"https://runkit.com/embed/w306l6zfm7tu"},{"type":"EVIDENCE","url":"https://security.snyk.io/vuln/SNYK-JS-EXPRESSXSSSANITIZER-3027443"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ahmedadelfahim/express-xss-sanitizer","events":[{"introduced":"0"},{"fixed":"a90ee0b5ac15fa1b300663d49d5b8b0d6f242d23"},{"fixed":"3bf8aaaf4dbb1c209dcb8d87a82711a54c1ab39a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.1.3"}]}}],"versions":["v1.1.0","v1.1.1","v1.1.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-21169.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}