Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-pe3n-8tcx-5bb5
Vulnerability ID VCID-pe3n-8tcx-5bb5
Aliases GHSA-vrx2-77f2-ww34
Summary justhtml has sanitization bypass in custom policies and programmatic DOM ## Summary `justhtml` `1.17.0` fixes multiple security issues in sanitization, serialization, and programmatic DOM handling. Most of these issues affected advanced or custom configurations rather than the default safe path. ## Affected versions - `justhtml` `<= 1.16.0` ## Fixed version - `justhtml` `1.17.0` released on April 19, 2026 ## Impact ### Custom SVG / MathML sanitization policies Custom policies that preserved foreign namespaces could allow dangerous content to survive sanitization, including: - active HTML integration points such as SVG `<foreignObject>`, MathML `<annotation-xml encoding="text/html">`, SVG `<title>` / `<desc>`, and MathML text integration points - mutation-XSS parser-differential payloads that looked inert in memory but became active HTML after reparse - SVG `filter="url(...)"` attributes that could trigger external fetches These issues affected: - `JustHTML(..., sanitize=True)` with custom foreign-namespace policies - `sanitize()` / `sanitize_dom()` - low-level terminal `Sanitize(...)` transform execution ### Preserved `<style>` handling Constructor-time sanitization and explicit `Sanitize(...)` transforms did not fully match `sanitize()` / `sanitize_dom()` when custom policies preserved `<style>`. That could leave resource-loading CSS such as `@import` or `background-image:url(...)` in sanitized output from HTML string input. ### Programmatic DOM serialization Programmatic `script`, `style`, and `Comment(...)` nodes could still serialize into active markup in some edge cases. This could affect applications that build or mutate DOM trees directly before calling `to_html()` or `to_markdown(html_passthrough=True)`. ### Cache mutation and DOM cycle handling Two lower-severity hardening fixes were included: - compiled sanitize-pipeline caches could be mutated after warming and weaken later sanitization - parent/child cycles in programmatic DOM trees could cause infinite loops in operations such as `to_html()` and `sanitize_dom()` ## Default configuration Most of the issues above did **not** affect ordinary parsed HTML with the default `JustHTML(..., sanitize=True)` configuration. The main risk areas were: - custom policies that preserve SVG or MathML - custom policies that preserve `<style>` - programmatic DOM construction or mutation - low-level direct sanitizer/transform APIs ## Recommended action Upgrade to `justhtml` `1.17.0`. If users cannot upgrade immediately: - avoid preserving SVG or MathML for untrusted input - avoid preserving `<style>` for untrusted input - avoid mutating programmatic DOM trees with untrusted `script`, `style`, or comment content - avoid mutating warmed policy internals or sanitizer caches ## Credit Discovered during an internal security review of `justhtml`.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (6)
CWE-436 Interpretation Conflict
CWE-471 Modification of Assumed-Immutable Data (MAID)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-vrx2-77f2-ww34
cvssv4 6.0 https://github.com/EmilStenstrom/justhtml
generic_textual MODERATE https://github.com/EmilStenstrom/justhtml
cvssv3.1_qr MODERATE https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-vrx2-77f2-ww34
cvssv4 6.0 https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-vrx2-77f2-ww34
generic_textual MODERATE https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-vrx2-77f2-ww34
Reference id Reference type URL
https://github.com/EmilStenstrom/justhtml
https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-vrx2-77f2-ww34
GHSA-vrx2-77f2-ww34 https://github.com/advisories/GHSA-vrx2-77f2-ww34
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N Found at https://github.com/EmilStenstrom/justhtml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N Found at https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-vrx2-77f2-ww34
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-12T07:45:40.044016+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-vrx2-77f2-ww34/GHSA-vrx2-77f2-ww34.json 38.6.0