CVE-2021-42576

CRITICAL

Bluemonday <1.0.16 - XSS

Title source: llm

Description

The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.

References (1)

[Exploit, Third Party Advisory] https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/

Scores

CVSS v3 9.8

EPSS 0.0032

EPSS Percentile 54.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

Status published

Affected Products (4)

microco/bluemonday < 1.0.16

python/pybluemonday < 0.0.8

pypi/pybluemonday < 0.0.8PyPI

microcosm-cc/bluemonday < 1.0.16Go

Timeline

Published Oct 18, 2021

Tracked Since Feb 18, 2026