Vulnerability Description
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression() filters, allowing external CSS loading or XSS in older browsers. This issue has been patched in version 0.4.4.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fedoralovespython | Lxml Html Clean | < 0.4.4 |
Related Weaknesses (CWE)
References
- https://github.com/fedora-python/lxml_html_clean/commit/2ef732667ddbc74ea59847bcPatch
- https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-hw26-mExploitVendor Advisory
- https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-hw26-mExploitVendor Advisory
FAQ
What is CVE-2026-28348?
CVE-2026-28348 is a vulnerability with a CVSS score of 6.1 (MEDIUM). lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dangero...
How severe is CVE-2026-28348?
CVE-2026-28348 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28348?
Check the references section above for vendor advisories and patch information. Affected products include: Fedoralovespython Lxml Html Clean.