Vulnerability DatabaseCVE-2026-28348
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-28348
March 05, 2026
lxml_html_clean is a project for HTML cleaning functionalities copied from "lxml.html.clean". Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression() filters, allowing external CSS loading or XSS in older browsers. This issue has been patched in version 0.4.4.
Affected Packages
lxml-html-clean (CONDA):
Affected version(s) >=0.1.1 <0.4.4
Fix Suggestion:
Update to version 0.4.4
https://github.com/fedora-python/lxml_html_clean.git (GITHUB):
Affected version(s) >=0.1.0 <0.4.4
Fix Suggestion:
Update to version 0.4.4
lxml-html-clean (PYTHON):
Affected version(s) >=0.1.0 <0.4.4
Fix Suggestion:
Update to version 0.4.4
Related Resources (4)
https://nvd.nist.gov/vuln/detail/CVE-2026-28348
https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-hw26-mmpg-fqfg
https://github.com/fedora-python/lxml_html_clean/commit/2ef732667ddbc74ea59847bcf24b75809aaeed3b
https://github.com/fedora-python/lxml_html_clean
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Encoding or Escaping of Output
CWE-116