Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\t>) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.
AnalysisAI
XSS sanitizer bypass in typo3/html-sanitizer before 2.3.2 allows authenticated low-privileged users to inject unsanitized HTML by exploiting a parser divergence between the Masterminds HTML5 tokenizer and browser behavior for whitespace-variant closing tags such as </style\t>. The vulnerability is gated behind the non-default ALLOW_INSECURE_RAW_TEXT configuration flag, substantially limiting exposure. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Technical ContextAI
The root cause (CWE-79) is a parser inconsistency in the rawText() method of the Masterminds HTML5 tokenizer, which typo3/html-sanitizer used internally prior to version 2.3.2. The HTML5 specification (§ 8.2.6.1) permits optional whitespace between a raw-text closing tag name and the terminating '>' character, making </style\t> a syntactically valid end tag. The Masterminds tokenizer's rawText() searched only for the literal sequence '</style>' without consuming trailing whitespace, so it failed to detect </style\t> as a closing tag and treated subsequent content as still inside the raw-text element. Browsers, being compliant with the HTML5 spec, correctly parse </style\t> as the closing tag, causing content injected after it to execute as normal HTML rather than raw text. The fix (commit bd1a88d9) introduces a custom TYPO3\HtmlSanitizer\Parser\Tokenizer subclass that mirrors the existing rcdata() whitespace-handling behavior in rawText(), and a custom Html5 parser class that wires this fixed tokenizer into the sanitization pipeline. All versions matching CPE cpe:2.3:a:typo3:html_sanitizer:*:*:*:*:*:*:*:* before 2.3.2 are affected.
RemediationAI
Upgrade to typo3/html-sanitizer 2.3.2 or later, which resolves the issue by introducing a custom Tokenizer subclass (src/Parser/Tokenizer.php) that correctly handles whitespace-variant closing tags per HTML5 spec § 8.2.6.1, eliminating the parser divergence with browsers. The patch commit is bd1a88d9b5a5f67f1120ec41084e9c1a0675641c (https://github.com/TYPO3/html-sanitizer/commit/bd1a88d9b5a5f67f1120ec41084e9c1a0675641c), and the vendor advisory is at https://typo3.org/security/advisory/typo3-core-sa-2026-006. If an immediate upgrade is not feasible, disabling the ALLOW_INSECURE_RAW_TEXT configuration option eliminates the vulnerable code path entirely and is the recommended compensating control; however, this may break application functionality that depends on passing raw HTML through the sanitizer, so operators should audit usage before disabling it. No other workaround is known that preserves ALLOW_INSECURE_RAW_TEXT while closing the bypass.
More in Html Sanitizer
View allCross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows re
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x al
Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for
TYPO3 is an open source PHP based web content management system released under the GNU GPL. Rated medium severity (CVSS
TYPO3 HTML Sanitizer is an HTML sanitizer, written in PHP, aiming to provide cross-site-scripting-safe markup based on e
HTML sanitizer is written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and val
The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explic
There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. Rated medium severi
HTML serialization in typo3/html-sanitizer before version 2.3.2 fails to encode namespace attributes (xmlns:*), allowing
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35191
GHSA-jvf5-rxvv-3mcg