CVE-2021-43818

HIGH

lxml < 4.6.5 - Cross-Site Scripting via HTML Cleaner Bypass

Title source: llm
STIX 2.1

Description

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

References (14)

Core 14
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2022/dsa-5043
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220107-0005/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202208-06

Scores

CVSS v3 8.2
EPSS 0.0543
EPSS Percentile 90.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-74 CWE-79
Status published
Products (16)
debian/debian_linux 9.0
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 34
fedoraproject/fedora 35
lxml/lxml < 4.6.5
netapp/hci_storage_node_firmware
netapp/solidfire
netapp/solidfire_enterprise_sds
oracle/communications_cloud_native_core_binding_support_function 22.1.3
... and 6 more
Published Dec 13, 2021
Tracked Since Feb 18, 2026