CVE-2026-28348 – This vulnerability in lxml_html

📋 TL;DR

This vulnerability in lxml_html_clean allows attackers to bypass CSS filters by using Unicode escape sequences, potentially enabling cross-site scripting (XSS) attacks in older browsers or external CSS loading. It affects applications using lxml_html_clean for HTML sanitization before version 0.4.4. The risk is highest for web applications processing untrusted HTML input.

💻 Affected Systems

Products:

lxml_html_clean

Versions: All versions before 0.4.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the _has_sneaky_javascript() method for HTML cleaning. Python applications importing this library are vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Successful XSS attacks leading to session hijacking, credential theft, or malware delivery to users of older browsers that support CSS expressions.

🟠

Likely Case

Limited XSS impact affecting only older browser versions, with modern browsers being less vulnerable to CSS expression-based attacks.

🟢

If Mitigated

No impact if proper input validation and output encoding are implemented alongside the library, or if only modern browsers are supported.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires injecting malicious CSS with Unicode escape sequences. The vulnerability is straightforward to exploit once understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.4

Vendor Advisory: https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-hw26-mmpg-fqfg

Restart Required: No

Instructions:

1. Update lxml_html_clean to version 0.4.4 or later using pip: pip install --upgrade lxml_html_clean>=0.4.4
2. Verify the update in your requirements.txt or pyproject.toml
3. Test HTML cleaning functionality after update

🔧 Temporary Workarounds

Input Validation Filter

all

Implement additional input validation to strip or escape CSS Unicode sequences before passing to lxml_html_clean

# Python example: re.sub(r\\\\u[0-9a-fA-F]{4}', '', input_string) before cleaning

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to block inline styles and external CSS
Use additional HTML sanitization libraries alongside lxml_html_clean as defense in depth

🔍 How to Verify

Check if Vulnerable:

Check installed version: pip show lxml_html_clean | grep Version

Check Version:

python -c "import lxml_html_clean; print(lxml_html_clean.__version__)"

Verify Fix Applied:

Confirm version is 0.4.4 or higher and test with known bypass payloads

📡 Detection & Monitoring

Log Indicators:

Unusual CSS patterns with backslash escapes in HTML input
Multiple failed sanitization attempts

Network Indicators:

Unexpected @import CSS directives in user-generated content
CSS expression() function calls

SIEM Query:

web_logs WHERE url_parameters CONTAINS '\\\\u' OR request_body CONTAINS 'expression('

📊 Metadata

CVE ID: CVE-2026-28348

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-116

Published: March 5, 2026

Last Updated: March 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-28348, you might also want to check these: