CVE-2014-3146

MEDIUM

lxml < 3.3.5 - Cross-Site Scripting via Control Characters in Link Scheme

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-3146. PoCs published by Maksim Kochkin.

AI-analyzed exploit summary This exploit demonstrates a security-bypass vulnerability in lxml's HTML cleaner, where obfuscated JavaScript (using control characters) bypasses the sanitization filter. The PoC shows that malicious scripts can evade detection and execute in the cleaned output.

Description

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Maksim Kochkin · textremotelinux
https://www.exploit-db.com/exploits/39155

This exploit demonstrates a security-bypass vulnerability in lxml's HTML cleaner, where obfuscated JavaScript (using control characters) bypasses the sanitization filter. The PoC shows that malicious scripts can evade detection and execute in the cleaned output.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: lxml < 3.3.5
No auth needed
Prerequisites: lxml library version prior to 3.3.5
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-2941
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/05/09/7
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2217-1
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/58744
Third Party Advisory x_refsource_confirm
http://advisories.mageia.org/MGASA-2014-0218.html
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/67159
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2015:112
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/58013
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Apr/210
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59008
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Apr/319
Various Sources x_refsource_confirm
http://lxml.de/3.3/changes-3.3.5.html

Scores

CVSS v3 6.1
EPSS 0.0633
EPSS Percentile 92.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (43)
lxml/lxml 0.5
lxml/lxml 0.5.1
lxml/lxml 0.6
lxml/lxml 0.7
lxml/lxml 0.8
lxml/lxml 0.9
lxml/lxml 0.9.1
lxml/lxml 0.9.2
lxml/lxml 1.0
lxml/lxml 1.0.1
... and 33 more
Published May 14, 2014
Tracked Since Feb 18, 2026