Skip to main content

Html Sanitizer

10 CVEs product

Monthly

CVE-2026-47345 PHP MEDIUM PATCH GHSA This Month

HTML serialization in typo3/html-sanitizer before version 2.3.2 fails to encode namespace attributes (xmlns:*), allowing an authenticated low-privilege attacker to inject unsanitized XSS payloads that execute in victims' browsers. The vulnerability bypasses the library's core XSS prevention purpose: crafted namespace attribute values containing raw HTML (e.g., onerror handlers) survive the sanitizer and render as executable markup. No public exploit has been independently identified at time of analysis, though the vendor-published commit includes a working test case demonstrating the exact bypass payload.

XSS Html Sanitizer
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-47344 PHP LOW PATCH GHSA Monitor

XSS sanitizer bypass in typo3/html-sanitizer before 2.3.2 allows authenticated low-privileged users to inject unsanitized HTML by exploiting a parser divergence between the Masterminds HTML5 tokenizer and browser behavior for whitespace-variant closing tags such as </style\t>. The vulnerability is gated behind the non-default ALLOW_INSECURE_RAW_TEXT configuration flag, substantially limiting exposure. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

XSS Html Sanitizer
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2023-47125 PHP MEDIUM PATCH This Month

TYPO3 is an open source PHP based web content management system released under the GNU GPL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

PHP XSS Html Sanitizer Typo3
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2023-38500 PHP MEDIUM PATCH This Month

TYPO3 HTML Sanitizer is an HTML sanitizer, written in PHP, aiming to provide cross-site-scripting-safe markup based on explicitly allowed tags, attributes and values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Html Sanitizer
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-23499 PHP MEDIUM PATCH This Month

HTML sanitizer is written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Html Sanitizer
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-36020 PHP MEDIUM PATCH This Month

The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Html Sanitizer
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2018-3741 Ruby MEDIUM PATCH This Month

There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Html Sanitizer
NVD GitHub
CVSS 3.1
6.1
EPSS
1.3%
CVE-2015-7580 Ruby MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Html Sanitizer
NVD GitHub
CVSS 3.0
6.1
EPSS
0.2%
CVE-2015-7579 Ruby MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Html Sanitizer
NVD GitHub
CVSS 3.0
6.1
EPSS
0.2%
CVE-2015-7578 Ruby MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Html Sanitizer
NVD GitHub
CVSS 3.0
6.1
EPSS
0.2%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

HTML serialization in typo3/html-sanitizer before version 2.3.2 fails to encode namespace attributes (xmlns:*), allowing an authenticated low-privilege attacker to inject unsanitized XSS payloads that execute in victims' browsers. The vulnerability bypasses the library's core XSS prevention purpose: crafted namespace attribute values containing raw HTML (e.g., onerror handlers) survive the sanitizer and render as executable markup. No public exploit has been independently identified at time of analysis, though the vendor-published commit includes a working test case demonstrating the exact bypass payload.

XSS Html Sanitizer
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

XSS sanitizer bypass in typo3/html-sanitizer before 2.3.2 allows authenticated low-privileged users to inject unsanitized HTML by exploiting a parser divergence between the Masterminds HTML5 tokenizer and browser behavior for whitespace-variant closing tags such as </style\t>. The vulnerability is gated behind the non-default ALLOW_INSECURE_RAW_TEXT configuration flag, substantially limiting exposure. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

XSS Html Sanitizer
NVD GitHub VulDB
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

TYPO3 is an open source PHP based web content management system released under the GNU GPL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

PHP XSS Html Sanitizer +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

TYPO3 HTML Sanitizer is an HTML sanitizer, written in PHP, aiming to provide cross-site-scripting-safe markup based on explicitly allowed tags, attributes and values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Html Sanitizer
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

HTML sanitizer is written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Html Sanitizer
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Html Sanitizer
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Html Sanitizer
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Html Sanitizer
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Html Sanitizer
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Html Sanitizer
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy