Description
Namespace attributes are not encoded correctly during HTML serialization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.
Published: 2026-06-08
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the HTML serializer of TYPO3's HTML Sanitizer, which fails to properly encode namespace attributes. This omission allows an attacker to craft malicious markup that bypasses the package’s XSS prevention, letting injected scripts execute in the context of any user viewing the sanitized content.

Affected Systems

Vendors and users employing TYPO3 HTML Sanitizer versions earlier than 2.3.2 are vulnerable. The issue affects all instances where the sanitized output is rendered without additional filtering.

Risk and Exploitability

With a CVSS score of 5.1 the risk is moderate; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply crafted content—such as custom templates or user‑generated input—to the sanitizer; successful exploitation would result in malicious script execution in victims’ browsers, potentially leading to session hijacking or data theft.

Generated by OpenCVE AI on June 8, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install TYPO3 HTML Sanitizer 2.3.2 or newer, which corrects the namespace attribute encoding.
  • Replace or disable any legacy sanitization paths that bypass the official sanitizer to ensure all attributes are strictly encoded.
  • Conduct a review of extensions, templates, or custom content that interacts with the sanitizer to confirm no residual XSS vectors remain.

Generated by OpenCVE AI on June 8, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Namespace attributes are not encoded correctly during HTML serialization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.
Title TYPO3 HTML Sanitizer allows Cross-Site Scripting
First Time appeared Typo3
Typo3 html Sanitizer
Weaknesses CWE-79
CPEs cpe:2.3:a:typo3:html_sanitizer:*:*:*:*:*:*:*:*
Vendors & Products Typo3
Typo3 html Sanitizer
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Typo3 Html Sanitizer
cve-icon MITRE

Status: PUBLISHED

Assigner: TYPO3

Published:

Updated: 2026-06-08T19:49:59.995Z

Reserved: 2026-05-19T12:49:25.966Z

Link: CVE-2026-47345

cve-icon Vulnrichment

Updated: 2026-06-08T19:49:50.720Z

cve-icon NVD

Status : Received

Published: 2026-06-08T20:17:01.743

Modified: 2026-06-08T20:17:01.743

Link: CVE-2026-47345

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T20:30:06Z

Weaknesses