Skip to main content

TYPO3 html-sanitizer CVE-2026-47344

| EUVDEUVD-2026-35191 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-06-08 TYPO3 GHSA-jvf5-rxvv-3mcg
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 20:23 vuln.today
Analysis Generated
Jun 08, 2026 - 20:23 vuln.today
CVSS changed
Jun 08, 2026 - 20:22 NVD
2.1 (LOW)

DescriptionCVE.org

When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\t>) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.

AnalysisAI

XSS sanitizer bypass in typo3/html-sanitizer before 2.3.2 allows authenticated low-privileged users to inject unsanitized HTML by exploiting a parser divergence between the Masterminds HTML5 tokenizer and browser behavior for whitespace-variant closing tags such as </style\t>. The vulnerability is gated behind the non-default ALLOW_INSECURE_RAW_TEXT configuration flag, substantially limiting exposure. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

Technical ContextAI

The root cause (CWE-79) is a parser inconsistency in the rawText() method of the Masterminds HTML5 tokenizer, which typo3/html-sanitizer used internally prior to version 2.3.2. The HTML5 specification (§ 8.2.6.1) permits optional whitespace between a raw-text closing tag name and the terminating '>' character, making </style\t> a syntactically valid end tag. The Masterminds tokenizer's rawText() searched only for the literal sequence '</style>' without consuming trailing whitespace, so it failed to detect </style\t> as a closing tag and treated subsequent content as still inside the raw-text element. Browsers, being compliant with the HTML5 spec, correctly parse </style\t> as the closing tag, causing content injected after it to execute as normal HTML rather than raw text. The fix (commit bd1a88d9) introduces a custom TYPO3\HtmlSanitizer\Parser\Tokenizer subclass that mirrors the existing rcdata() whitespace-handling behavior in rawText(), and a custom Html5 parser class that wires this fixed tokenizer into the sanitization pipeline. All versions matching CPE cpe:2.3:a:typo3:html_sanitizer:*:*:*:*:*:*:*:* before 2.3.2 are affected.

RemediationAI

Upgrade to typo3/html-sanitizer 2.3.2 or later, which resolves the issue by introducing a custom Tokenizer subclass (src/Parser/Tokenizer.php) that correctly handles whitespace-variant closing tags per HTML5 spec § 8.2.6.1, eliminating the parser divergence with browsers. The patch commit is bd1a88d9b5a5f67f1120ec41084e9c1a0675641c (https://github.com/TYPO3/html-sanitizer/commit/bd1a88d9b5a5f67f1120ec41084e9c1a0675641c), and the vendor advisory is at https://typo3.org/security/advisory/typo3-core-sa-2026-006. If an immediate upgrade is not feasible, disabling the ALLOW_INSECURE_RAW_TEXT configuration option eliminates the vulnerable code path entirely and is the recommended compensating control; however, this may break application functionality that depends on passing raw HTML through the sanitizer, so operators should audit usage before disabling it. No other workaround is known that preserves ALLOW_INSECURE_RAW_TEXT while closing the bypass.

Share

CVE-2026-47344 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy