Search for vulnerabilities
| Vulnerability ID | VCID-kg61-21wu-kyfd |
| Aliases |
GHSA-r758-8hxw-4845
|
| Summary | justhtml: Mutation XSS with custom foreign-namespace sanitization policies ## Summary A parser-differential / mutation XSS issue was found in `justhtml` when using a **custom sanitization policy** that preserves foreign namespaces such as SVG or MathML. Under these custom settings, specially crafted input could sanitize into HTML that looked safe at first, but became unsafe when parsed again by a browser or another HTML parser. ## Impact This issue does **not** affect the default safe configuration. You may be affected if you use a custom `SanitizationPolicy` with settings like: - `drop_foreign_namespaces=False` - allowlisted foreign elements such as MathML or SVG - allowlisted raw-text containers such as `<style>` In that case, an attacker could inject markup that survives sanitization and turns into active HTML after re-parsing. ## Affected versions - `justhtml` `<= 1.13.0` ## Fixed version - Fixed in `1.14.0` ## Workarounds Until you upgrade: - keep `drop_foreign_namespaces=True` - avoid allowlisting foreign namespaces for untrusted input - avoid allowlisting raw-text containers such as `<style>` in custom policies ## Notes The default `JustHTML(..., sanitize=True)` behavior was not found to be vulnerable in this issue. ## Credit Discovered by JustHTML author during a LLM-based security review of `justhtml`. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 2.7 |
| Risk | 1.4 |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv3.1_qr | LOW | https://github.com/advisories/GHSA-r758-8hxw-4845 |
| cvssv4 | 2.1 | https://github.com/EmilStenstrom/justhtml |
| generic_textual | LOW | https://github.com/EmilStenstrom/justhtml |
| cvssv4 | 2.1 | https://github.com/EmilStenstrom/justhtml/commit/8adc4dfe31723dc522f44338f9bd98381c92b076 |
| generic_textual | LOW | https://github.com/EmilStenstrom/justhtml/commit/8adc4dfe31723dc522f44338f9bd98381c92b076 |
| cvssv4 | 2.1 | https://github.com/EmilStenstrom/justhtml/releases/tag/v1.14.0 |
| generic_textual | LOW | https://github.com/EmilStenstrom/justhtml/releases/tag/v1.14.0 |
| cvssv3.1_qr | LOW | https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-r758-8hxw-4845 |
| cvssv4 | 2.1 | https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-r758-8hxw-4845 |
| generic_textual | LOW | https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-r758-8hxw-4845 |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-12T07:45:39.407349+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r758-8hxw-4845/GHSA-r758-8hxw-4845.json | 38.6.0 |