CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49452

mediumCVSS 6.5covered by 1 sourcefirst seen 2026-07-06
Summary A CSS injection issue exists in WeasyPrint when HTML presentational hints are enabled. Unescaped attribute values are embedded into CSS, allowing injection of arbitrary CSS declarations. This affects applications processing untrusted HTML input. Details File: weasyprint/css/init.py The background attribute is used to construct CSS: background-image:url({element.get("background")}) This string is parsed by tinycss2.parse_blocks_contents(). Because the value is not escaped, additional CSS declarations can be injected. PoC <body background="x);background-image:url(http://169.254.169.254/latest/meta-data/)"> Impact - CSS injection - Server-side requests via injected url() - Limited to cases where presentational_hints=True Suggested Fix - Escape attribute values before embedding into CSS - Restrict allowed values for presentational hints VULN-05_css_injection_presentational_hints.md

⚡ Watch CVE-2026-49452

Get an email if CVE-2026-49452 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-49452

CVE.org record

Embed the live status

CVE-2026-49452 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49452 status](https://www.csirts.com/badge/CVE-2026-49452)](https://www.csirts.com/cve/CVE-2026-49452)