CVE-2021-42576
CRITICALbluemonday < 1.0.16 and pybluemonday < 0.0.8 - Policy Enforcement Bypass in SELECT STYLE and OPTION Elements
Title source: llmDescription
The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/
Scores
CVSS v3
9.8
EPSS
0.0032
EPSS Percentile
55.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (4)
microco/bluemonday
< 1.0.16
microcosm-cc/bluemonday
0 - 1.0.16Go
pypi/pybluemonday
0 - 0.0.8PyPI
python/pybluemonday
< 0.0.8
Published
Oct 18, 2021
Tracked Since
Feb 18, 2026