FKIE_CVE-2026-28350

Vulnerability from fkie_nvd - Published: 2026-03-05 20:16 - Updated: 2026-03-09 20:55
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the <base> tag passes through the default Cleaner configuration. While page_structure=True removes html, head, and title tags, there is no specific handling for <base>, allowing an attacker to inject it and hijack relative links on the page. This issue has been patched in version 0.4.4.
References
security-advisories@github.comhttps://github.com/fedora-python/lxml_html_clean/commit/9c5612ca33b941eec4178abf8a5294b103403f34Patch
security-advisories@github.comhttps://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-xvp8-3mhv-424cExploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-xvp8-3mhv-424cExploit, Vendor Advisory
Impacted products
Vendor Product Version
fedoralovespython lxml_html_clean *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fedoralovespython:lxml_html_clean:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "A0BBE70C-C635-4143-83FD-87D7D95B37DD",
              "versionEndExcluding": "0.4.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the \u003cbase\u003e tag passes through the default Cleaner configuration. While page_structure=True removes html, head, and title tags, there is no specific handling for \u003cbase\u003e, allowing an attacker to inject it and hijack relative links on the page. This issue has been patched in version 0.4.4."
    },
    {
      "lang": "es",
      "value": "lxml_html_clean es un proyecto para funcionalidades de limpieza de HTML copiadas de \u0027lxml.html.clean\u0027. Antes de la versi\u00f3n 0.4.4, la etiqueta  pasa a trav\u00e9s de la configuraci\u00f3n predeterminada de Cleaner. Aunque page_structure=True elimina las etiquetas html, head y title, no hay un manejo espec\u00edfico para , permitiendo a un atacante inyectarla y secuestrar enlaces relativos en la p\u00e1gina. Este problema ha sido parcheado en la versi\u00f3n 0.4.4."
    }
  ],
  "id": "CVE-2026-28350",
  "lastModified": "2026-03-09T20:55:26.037",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-05T20:16:16.333",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/fedora-python/lxml_html_clean/commit/9c5612ca33b941eec4178abf8a5294b103403f34"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-xvp8-3mhv-424c"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-xvp8-3mhv-424c"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-116"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.