CVE-2025-52561
MEDIUMHTMLSanitizer.jl < 0.2.1 - Cross-Site Scripting via Style Tag Whitelist
Title source: llmDescription
HTMLSanitizer.jl is a Whitelist-based HTML sanitizer. Prior to version 0.2.1, when adding the style tag to the whitelist, content inside the tag is incorrectly unescaped, and closing tags injected as content are interpreted as real HTML, enabling tag injection and JavaScript execution. This could result in possible cross-site scripting (XSS) in any HTML that is sanitized with this library. This issue has been patched in version 0.2.1. A workaround involves adding the math and svg elements to the whitelist manually.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/JuliaComputing/HTMLSanitizer.jl/security/advisories/GHSA-3mj7-qxh9-6q4p
Issue Tracking x_refsource_misc
https://github.com/JuliaComputing/HTMLSanitizer.jl/pull/5
Scores
CVSS v4
6.9
EPSS
0.0071
EPSS Percentile
49.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
JuliaComputing/HTMLSanitizer.jl
< 0.2.1
Published
Jun 23, 2025
Tracked Since
Feb 18, 2026