CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-jhhc-3hcp-qhm5: WeasyPrint has CSS Injection via Presentational Hints

mediumCVSS 6.5CVE-2026-49452
Summary A CSS injection issue exists in WeasyPrint when HTML presentational hints are enabled. Unescaped attribute values are embedded into CSS, allowing injection of arbitrary CSS declarations. This affects applications processing untrusted HTML input. Details File: weasyprint/css/init.py The background attribute is used to construct CSS: background-image:url({element.get("background")}) This string is parsed by tinycss2.parse_blocks_contents(). Because the value is not escaped, additional CSS declarations can be injected. PoC <body background="x);background-image:url(http://169.254.169.254/latest/meta-data/)"> Impact - CSS injection - Server-side requests via injected url() - Limited to cases where presentational_hints=True Suggested Fix - Escape attribute values before embedding into CSS - Restrict allowed values for presentational hints VULN-05_css_injection_presentational_hints.md

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 6.5
Published
2026-07-06
Last updated
2026-07-06
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-jhhc-3hcp-qhm5

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-49452coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories