CVE-2025-66021
OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization
Description
OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available.
INFO
Published Date :
Nov. 26, 2025, 1:53 a.m.
Last Modified :
Nov. 26, 2025, 1:53 a.m.
Remotely Exploit :
No
Source :
GitHub_M
Affected Products
The following products are affected by CVE-2025-66021
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
Solution
- Avoid allowing noscript and style tags with allowTextIn.
- Sanitize CSS content within style tags effectively.
- Restrict tag inclusions in the HTML policy.
- Await and apply vendor patches when available.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-66021 vulnerability anywhere in the article.