OWASP Java HTML Sanitizer XSS via noscript/style before 20240325.1
CVE-2025-66021 Published on November 26, 2025
OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization
OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2025-66021 has been classified to as a XSS vulnerability or weakness.
Affected Versions
OWASP java-html-sanitizer Version = 20240325.1 is affected by CVE-2025-66021Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.