CVE-2025-66021
CVE-2025-66021
Issue with OWASP Java HTML Sanitizer
FALSE POSITIVE
Rundeck and Runbook Automation are not vulnerable to this CVE.
CVE-2025-66021 describes a vulnerability that only affects the usage of HtmlPolicyBuilder when configured with allowTextIn for the style tag.
After review, we have confirmed that neither Rundeck nor Runbook Automation use HtmlPolicyBuilder with allowTextIn for the style tag, so this vulnerability does not impact our products.