VulnerableCode Vulnerability Details - VCID-j2rc-dcnp-n7eh

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-j2rc-dcnp-n7eh

Essentials
Severities (6)
References (5)
Severity details (6)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-j2rc-dcnp-n7eh
Aliases	GHSA-c9vm-hv86-f23r
Summary	justhtml includes multiple security fixes ## Summary `justhtml` `1.15.0` includes multiple security fixes affecting URL sanitization helpers, HTML serialization, Markdown passthrough, and several custom sanitization-policy edge cases. These issues have different impact levels and do not all affect the default configuration in the same way. ## Affected versions - `justhtml` `<= 1.14.0` ## Fixed version - `justhtml` `1.15.0` released on April 9, 2026 ## Impact overview ### Helper and serialization issues These issues could affect applications using JustHTML helpers or programmatic DOM construction, even outside the default HTML sanitization path. - `JustHTML.clean_url_value(...)` and `clean_url_in_js_string(...)` could accept URL values such as `javascript&#58...`, which became active `javascript:` URLs after HTML attribute parsing. - URL sanitization could treat values like `\\evil.example/x` or `/\\evil.example/x` as safe relative URLs even though browsers could resolve them as remote requests. - Malformed bracketed hosts such as `https://[evil.example]/x` could raise exceptions and crash sanitization when host allowlists were used. - Programmatic element or attribute names containing markup-breaking characters could be serialized into active HTML. - Programmatic HTML comments containing `-->` could break out of the comment and inject live markup. ### Markdown passthrough issue - `to_markdown(html_passthrough=True)` could reintroduce active HTML from sanitized `<textarea>` content by emitting a raw closing `</textarea>` sequence. ### Custom policy issues These issues affected custom policies more than the default safe configuration. - `a[ping]` was handled as a single URL even though browsers interpret it as a space-separated URL list. - `attributionsrc` was not treated as URL-bearing and could preserve attacker-controlled reporting endpoints. - `link[imagesrcset]` was not treated as URL-bearing and could preserve attacker-controlled image candidates. - Preserved `<meta http-equiv="refresh">` tags could keep redirect targets without URL-policy enforcement. - Preserved `<base href>` tags could rewrite how later relative URLs resolved in the browser. - Preserved `<style>` blocks could keep resource-loading CSS such as `@import`, `url(...)`, or `image-set(...)`. - Mixed-case attribute names in custom transform pipelines could bypass or confuse security-related transforms such as `DropAttrs(...)`, `DropUrlAttrs(...)`, `AllowStyleAttrs(...)`, and `MergeAttrs(...)`. ## Default configuration Most of the custom-policy issues above did not affect the default `JustHTML(..., sanitize=True)` behavior. The main exceptions were: - helper APIs such as `clean_url_value(...)` - programmatic DOM / serializer usage - applications explicitly using `html_passthrough=True` - applications using custom policies or custom transform pipelines ## Recommended action Upgrade to `justhtml` `1.15.0`. If you cannot upgrade immediately: - avoid `html_passthrough=True` for untrusted content - avoid preserving `<style>`, `<meta http-equiv="refresh">`, and `<base href>` in custom policies - avoid allowing `ping`, `attributionsrc`, or `imagesrcset` unless you explicitly validate them - avoid serializing untrusted programmatic node names, attribute names, or comment data
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (6)

CWE-178	Improper Handling of Case Sensitivity
CWE-20	Improper Input Validation
CWE-755	Improper Handling of Exceptional Conditions
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-c9vm-hv86-f23r
generic_textual	MODERATE	https://github.com/EmilStenstrom/justhtml
generic_textual	MODERATE	https://github.com/EmilStenstrom/justhtml/compare/v1.14.0...v1.15.0
generic_textual	MODERATE	https://github.com/EmilStenstrom/justhtml/releases/tag/v1.15.0
cvssv3.1_qr	MODERATE	https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-c9vm-hv86-f23r
generic_textual	MODERATE	https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-c9vm-hv86-f23r

Reference id	Reference type	URL
		https://github.com/EmilStenstrom/justhtml
		https://github.com/EmilStenstrom/justhtml/compare/v1.14.0...v1.15.0
		https://github.com/EmilStenstrom/justhtml/releases/tag/v1.15.0
		https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-c9vm-hv86-f23r
GHSA-c9vm-hv86-f23r		https://github.com/advisories/GHSA-c9vm-hv86-f23r

No exploits are available.

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-12T07:46:57.286070+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-c9vm-hv86-f23r/GHSA-c9vm-hv86-f23r.json	38.6.0