cvedb.io
CVE-2024-52595
HIGH · CVSS 7.7
EPSS exploitation probability: 0%
Published 2024-11-19T22:15:21.120 · Last modified 2026-06-17T08:07:31.003

Summary

lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as `<svg>`, `<math>` and `<noscript>`. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. Users employing the HTML cleaner in a security-sensitive context should upgrade to lxml 0.4.0, whic

Affected products

fedoralovespython — lxml_html_clean

Does this affect you?

Add your gear to cvedb and we'll alert you only when fedoralovespython ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.