CVE-2026-28348

MEDIUM

lxml_html_clean <0.4.4 - XSS

Title source: llm

Description

lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression() filters, allowing external CSS loading or XSS in older browsers. This issue has been patched in version 0.4.4.

References (2)

Scores

CVSS v3 6.1
EPSS 0.0003
EPSS Percentile 7.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Classification

CWE
CWE-116
Status published

Affected Products (1)

fedoralovespython/lxml_html_clean < 0.4.4

Timeline

Published Mar 05, 2026
Tracked Since Mar 06, 2026