CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49825

highCVSS 8.2covered by 1 sourcefirst seen 2026-07-08
lxml_html_clean.Cleaner does not strip javascript: URLs from namespaced URL attributes (xlink:href) Reporter: Guillem Lefait <guillem@datamq.com> · Date: 2026-05-10 Affected: lxml ≤ 6.1.0 and lxml_html_clean ≤ 0.4.4 (latest stable) Confirmed against: lxml 6.1.0 + lxml_html_clean 0.4.4 on Python 3.13.5, 3.14.4, and 3.15.0a8 (libxml2 2.14.6 / 2.9.14 — bug is in pure-Python sanitizer logic, independent of the libxml2 backend) Root-cause class: same as CVE-2021-28957 (formaction missing from link_attrs) Summary Cleaner filters URL schemes (javascript:, vbscript:, …) by walking links via rewrite_links(), which delegates to iterlinks(), which only yields attributes named in lxml.html.defs.link_attrs. That allow-list contains no prefixed names (xlink:href) and no srcset. As a result, when Cleaner is configured with safe_attrs_only=False — a documented option for callers that want lenient attribute handling but still expect URL-scheme scrubbing — <a xlink:href="javascript:…"> survives sanitization untouched, and any browser that follows the SVG-anchor specification will execute the JavaScript when the rendered link is clicked. CWE: CWE-79 (XSS), with CWE-184 (Incomplete List of Disallowed Inputs) as the underlying defect class. Affected components | Package | Versions tested | File / line | |--------------------|------------------------|----------------------------------| | lxml | 4.9.x, 5.2.1, 6.1.0 | src/lxml/html/defs.py:20 | | lxml | " | src/lxml/html/init.py:485-528 | | lxml_html_clean | 0.4.0 – 0.4.4 | lxml_html_clean/clean.py:348,576 | The legacy lxml.html.clean module — bundled in lxml < 5.2.0 and still installable on newer versions via the lxml[html_clean] extra — shares the same bug. Root cause defs.link_attrs is a flat string set; the literal xlink:href is absent: lxml/html/defs.py link_attrs = frozenset([ 'action', 'archive', 'background', 'cite', 'classid', 'codebase', 'data', 'href', 'longdesc', 'profile', 'src', 'usemap', 'dynsrc', 'lowsrc', 'formac

⚡ Watch CVE-2026-49825

Get an email if CVE-2026-49825 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-49825

CVE.org record

Embed the live status

CVE-2026-49825 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49825 status](https://www.csirts.com/badge/CVE-2026-49825)](https://www.csirts.com/cve/CVE-2026-49825)