CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-4jhm-jv67-739f: `lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes

highCVSS 8.2CVE-2026-49825
lxml_html_clean.Cleaner does not strip javascript: URLs from namespaced URL attributes (xlink:href) Reporter: Guillem Lefait <guillem@datamq.com> · Date: 2026-05-10 Affected: lxml ≤ 6.1.0 and lxml_html_clean ≤ 0.4.4 (latest stable) Confirmed against: lxml 6.1.0 + lxml_html_clean 0.4.4 on Python 3.13.5, 3.14.4, and 3.15.0a8 (libxml2 2.14.6 / 2.9.14 — bug is in pure-Python sanitizer logic, independent of the libxml2 backend) Root-cause class: same as CVE-2021-28957 (formaction missing from link_attrs) Summary Cleaner filters URL schemes (javascript:, vbscript:, …) by walking links via rewrite_links(), which delegates to iterlinks(), which only yields attributes named in lxml.html.defs.link_attrs. That allow-list contains no prefixed names (xlink:href) and no srcset. As a result, when Cleaner is configured with safe_attrs_only=False — a documented option for callers that want lenient attribute handling but still expect URL-scheme scrubbing — <a xlink:href="javascript:…"> survives sanitization untouched, and any browser that follows the SVG-anchor specification will execute the JavaScript when the rendered link is clicked. CWE: CWE-79 (XSS), with CWE-184 (Incomplete List of Disallowed Inputs) as the underlying defect class. Affected components | Package | Versions tested | File / line | |--------------------|------------------------|----------------------------------| | lxml | 4.9.x, 5.2.1, 6.1.0 | src/lxml/html/defs.py:20 | | lxml | " | src/lxml/html/init.py:485-528 | | lxml_html_clean | 0.4.0 – 0.4.4 | lxml_html_clean/clean.py:348,576 | The legacy lxml.html.clean module — bundled in lxml < 5.2.0 and still installable on newer versions via the lxml[html_clean] extra — shares the same bug. Root cause defs.link_attrs is a flat string set; the literal xlink:href is absent: lxml/html/defs.py link_attrs = frozenset([ 'action', 'archive', 'background', 'cite', 'classid', 'codebase', 'data', 'href', 'longdesc', 'profile', 'src', 'usemap', 'dynsrc', 'lowsrc', 'formac

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 8.2
Published
2026-07-08
Last updated
2026-07-08
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-4jhm-jv67-739f

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-49825coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories