Skip to content

lxml Cross-site Scripting Via Control Characters

Moderate severity GitHub Reviewed Published May 14, 2022 to the GitHub Advisory Database • Updated Aug 13, 2023

Package

pip lxml (pip)

Affected versions

< 3.3.5

Patched versions

3.3.5

Description

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

References

Published by the National Vulnerability Database May 14, 2014
Published to the GitHub Advisory Database May 14, 2022
Reviewed Aug 4, 2023
Last updated Aug 13, 2023

Severity

Moderate

Weaknesses

CVE ID

CVE-2014-3146

GHSA ID

GHSA-57qw-cc2g-pv5p

Source code

No known source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.