Security Bulletin: Cross-Site Scripting (XSS) Vulnerability in OWASP Java HTML Sanitizer via HtmlPolicyBuilder noscript/style Tags (v20240325.1), affects watsonx.data

Summary A vulnerability in OWASP Java HTML Sanitizer v20240325.1 allows Cross-Site Scripting XSS when HtmlPolicyBuilder permits noscript or style tags with allowTextIn. Unsanitized CSS or unexpected tags can be exploited by attackers. No patch is available at the time of this publication. This ca...

USN-8077-1: Bleach vulnerabilities

It was discovered that Bleach did not properly sanitize URI attributes containing character entities. An attacker could possibly use this issue to construct a URI with a disallowed scheme that would bypass sanitization, leading to cross-site scripting. This issue only affected Ubuntu 18.04 LTS...

USN-8077-1 python-bleach vulnerabilities

It was discovered that Bleach did not properly sanitize URI attributes containing character entities. An attacker could possibly use this issue to construct a URI with a disallowed scheme that would bypass sanitization, leading to cross-site scripting. This issue only affected Ubuntu 18.04 LTS...

Cross-site Scripting (XSS)

OWASP Java HTML Sanitizer is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization when HtmlPolicyBuilder permits noscript and style tags with allowTextIn, which allows an attacker to craft malicious CSS or HTML payloads that bypass the defined policy and execu...

CVE-2025-66021

The CVE-2025-66021 entry concerns OWASP Java HTML Sanitizer (version 20240325.1). The vulnerability arises when HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag, enabling XSS if crafted payloads bypass CSS sanitization and include unallowed tags. Public detai...

EUVD-2025-199654

OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style...

CVE-2025-66021 OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization

OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style...

CVE-2025-66021 OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization

OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style...

CVE-2025-66021 OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization

OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style...

Owasp Json-sanitizer 安全漏洞

Owasp Json-sanitizer is a Java-based code library from the OWASP Foundation that generates Json format data from Json like text content. A security vulnerability exists in Owasp Json-sanitizer version 20240325.1, which stems from HtmlPolicyBuilder allowing noscript and style tags, which could lea...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the HtmlPolicyBuilder when both noscript and style tags are allowed and allowTextIn is enabled for the style tag. An attacker can execute arbitrary scripts in the context of the user's browser by crafting...

OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization

Summary It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not...

GHSA-G9GQ-3PFX-2GW2 OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization

Summary It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not...

PT-2025-48110

Name of the Vulnerable Software and Affected Versions OWASP Java HTML Sanitizer versions 20240325.1 Description OWASP Java HTML Sanitizer is vulnerable to Cross-Site Scripting XSS when the HtmlPolicyBuilder allows noscript and style tags with allowTextIn enabled within the style tag. This occurs...

EUVD-2024-2530

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2024-53989

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of...

Internet Bug Bounty: ActionView sanitize helper bypass with noscript

The Rails-html-sanitizer 1.6.0 contained a vulnerability that allowed bypassing the sanitization process when the noscript tag was used. This could have led to potential cross-site scripting XSS attacks in applications that used the vulnerable version of the sanitizer, including those using the...

SUSE CVE-2024-53989

rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails = 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitiz...

DEBIAN-CVE-2024-52595

lxmlhtmlclean is a project for HTML cleaning functionalities copied from lxml.html.clean. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as , and . This behavior deviates from how web browsers parse and interpret such tags...

UBUNTU-CVE-2024-52595

lxmlhtmlclean is a project for HTML cleaning functionalities copied from lxml.html.clean. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as , and . This behavior deviates from how web browsers parse and interpret such tags...