CVE-2026-25543 – HtmlSanitizer versions before 9.0.892 and 9.1.8... (How to Fix)

Q: What is the severity of CVE-2026-25543?

CVE-2026-25543 has a CVSS score of 6.1 (MEDIUM). HtmlSanitizer versions before 9.0.892 and 9.1.893-beta fail to sanitize content within template tags when those tags are allowed, potentially enabling cross-site scripting (XSS) attacks. This affects any .NET application using vulnerable versions of the HtmlSanitizer library to clean user-supplied HTML. Attackers could inject malicious scripts that execute when template content is rendered with shadowrootmode attributes.

📋 TL;DR

HtmlSanitizer versions before 9.0.892 and 9.1.893-beta fail to sanitize content within template tags when those tags are allowed, potentially enabling cross-site scripting (XSS) attacks. This affects any .NET application using vulnerable versions of the HtmlSanitizer library to clean user-supplied HTML. Attackers could inject malicious scripts that execute when template content is rendered with shadowrootmode attributes.

💻 Affected Systems

Products:

HtmlSanitizer .NET library

Versions: All versions before 9.0.892 and 9.1.893-beta

Operating Systems: All platforms running .NET applications

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if template tags are explicitly allowed in sanitizer configuration. Default configurations may not be affected.

📦 What is this software?

Htmlsanitizer by Htmlsanitizer Project

View all CVEs affecting Htmlsanitizer →

Htmlsanitizer by Htmlsanitizer Project

View all CVEs affecting Htmlsanitizer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full XSS compromise allowing attackers to steal session cookies, perform actions as authenticated users, or deface websites.

🟠

Likely Case

Limited XSS exploitation in applications that allow template tags and render their contents, potentially leading to session hijacking or data theft.

🟢

If Mitigated

No impact if template tags are disallowed in sanitizer configuration or if shadowrootmode attributes are blocked.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires template tags to be allowed and their contents to be rendered with shadowrootmode attributes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.892 or 9.1.893-beta

Vendor Advisory: https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-j92c-7v7g-gj3f

Restart Required: Yes

Instructions:

1. Update HtmlSanitizer NuGet package to version 9.0.892 or 9.1.893-beta. 2. Rebuild and redeploy affected applications. 3. Restart application services.

🔧 Temporary Workarounds

Disable template tags

all

Configure HtmlSanitizer to disallow template tags entirely

sanitizer.AllowedTags.Remove("template");

Block shadowrootmode attribute

all

Prevent template tags from rendering content by blocking shadowrootmode attribute

sanitizer.AllowedAttributes.Remove("shadowrootmode");

🧯 If You Can't Patch

Implement output encoding for any content that passes through HtmlSanitizer
Deploy WAF rules to detect and block XSS attempts involving template tags

🔍 How to Verify

Check if Vulnerable:

Check if HtmlSanitizer version is below 9.0.892 and template tags are allowed in configuration

Check Version:

Check packages.config or .csproj file for HtmlSanitizer version

Verify Fix Applied:

Verify HtmlSanitizer package version is 9.0.892 or higher in project dependencies

📡 Detection & Monitoring

Log Indicators:

Unusual HTML input containing template tags with shadowrootmode attributes
XSS filter bypass attempts

Network Indicators:

HTTP requests containing malicious script payloads within template tags

SIEM Query:

source="web_logs" AND (template AND shadowrootmode) OR (script AND template)

📊 Metadata

CVE ID: CVE-2026-25543

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-116

EPSS Score: 0.06% exploit probability (17.3th percentile)

Published: February 4, 2026

Last Updated: February 24, 2026

🔗 References

https://github.com/mganss/HtmlSanitizer/commit/0ac53dca30ddad963f2b243669a5066933d82b81 Patch
https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-j92c-7v7g-gj3f Mitigation,Patch,Vendor Advisory
https://www.nuget.org/packages/HtmlSanitizer/9.0.892 Product,Release Notes
https://www.nuget.org/packages/HtmlSanitizer/9.1.893-beta Product,Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25543, you might also want to check these: