Description
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression() filters, allowing external CSS loading or XSS in older browsers. This issue has been patched in version 0.4.4.
Published: 2026-03-05
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting via CSS @import bypass
Action: Immediate Patch
AI Analysis

Impact

The lxml_html_clean library contained a flaw in its _has_sneaky_javascript() method that removed backslashes before checking for dangerous CSS keywords. This allowed CSS Unicode escape sequences to bypass the @import and expression() filters, meaning an attacker could load external CSS or trigger legacy XSS victims in older browsers.

Affected Systems

Fedora‑Python lxml_html_clean versions prior to 0.4.4 are affected; the vulnerability is present in the library bundled with older Fedora releases or in projects that depend on the unpatched library.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity while the EPSS score of less than 1% shows the likelihood of exploitation is low at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply crafted HTML content that is processed by a web application using the vulnerable library, and the exploit typically succeeds only in legacy browsers that honor the @import directive and CSS expression() feature. Because it leads to cross‑site scripting, it poses a confidentiality and integrity risk to users of the affected application. The confidentiality and integrity risks are inferred from the CVE description's focus on cross‑site scripting, as they are not explicitly listed in the original CVE text.

Generated by OpenCVE AI on April 17, 2026 at 12:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the lxml_html_clean package to version 0.4.4 or later, as the fix removes the backslash stripping bug and properly checks for dangerous CSS patterns.
  • Ensure that all projects and virtual environments that reference lxml_html_clean use the updated library, including any downstream dependencies.
  • Add a secondary sanitization layer or configure the application to explicitly strip or block @import directives and CSS expressions before passing data to lxml_html_clean, providing an additional safeguard against future similar issues.

Generated by OpenCVE AI on April 17, 2026 at 12:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hw26-mmpg-fqfg lxml-html-clean has CSS @import Filter Bypass via Unicode Escapes
History

Mon, 09 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Fedoralovespython
Fedoralovespython lxml Html Clean
CPEs cpe:2.3:a:fedoralovespython:lxml_html_clean:*:*:*:*:*:python:*:*
Vendors & Products Fedoralovespython
Fedoralovespython lxml Html Clean

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Fedora-python
Fedora-python lxml Html Clean
Vendors & Products Fedora-python
Fedora-python lxml Html Clean

Thu, 05 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression() filters, allowing external CSS loading or XSS in older browsers. This issue has been patched in version 0.4.4.
Title lxml_html_clean: CSS @import Filter Bypass via Unicode Escapes
Weaknesses CWE-116
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Fedora-python Lxml Html Clean
Fedoralovespython Lxml Html Clean
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T17:55:36.273Z

Reserved: 2026-02-26T18:38:13.890Z

Link: CVE-2026-28348

cve-icon Vulnrichment

Updated: 2026-03-06T17:55:26.589Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T20:16:16.180

Modified: 2026-03-09T20:55:16.367

Link: CVE-2026-28348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses