GHSA-GJ48-438W-JH9V Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes

Summary Bleach clean / Cleaner fails to sanitize dangerous URI schemes in allowed formaction attributes. Bleach applies URI protocol sanitization only to attributes listed in attrvalisuri. While URI-bearing attributes such as action, href, src, and poster are included in that set, formaction is...

CVE-2026-53606

A CVE-2026-53606 entry concerns ApostropheCMS (Node.js) and its dependency sanitize-html. The issue arises in sanitize-html versions prior to 2.17.5, where allowedSchemesAppliedToAttributes (default: ['href','src','cite']) do not cover all URI-bearing attributes (e.g., action, formaction, data, p...

CVE-2026-53606 sanitize-html has an incomplete URI scheme validation that allows javascript: URIs through action, formaction, data, poster, and background attributes

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use allowedSchemesAppliedToAttributes default: 'href', 'src', 'cite' to gate the naughtyHref function that blocks...

Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)

Description symfony/html-sanitizer lets applications sanitise untrusted HTML. UrlAttributeSanitizer is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is kept is...

PT-2026-44727

Name of the Vulnerable Software and Affected Versions symfony/html-sanitizer versions prior to 6.4 Description The UrlAttributeSanitizer visitor fails to validate the schemes of several URL-valued attributes because they are missing from the getSupportedAttributes list. Specifically, the action...

Cross-site Scripting (XSS)

Overview symfony/html-sanitizer is a Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM. Affected versions of this package are vulnerable to Cross-site Scripting XSS via incomplete URL attribute validation in UrlAttributeSanitizer. An attacke...

Astra Linux – Vulnerability in lxml

A XSS vulnerability was discovered in the python-lxml’s clean module versions prior to 4.6.3. When the “safe attrsonly” and “forms” arguments are disabled, the Cleaner class does not remove the “formaction” attribute, allowing JavaScript to bypass the sanitizer. A remote attacker could exploit th...

Payload-XSS

Payload-XSS Daftar Isi 1. Payload Dasar 1-20payload-...

MiracleLinux 8 : python-lxml-4.2.3-3.el8 (AXSA:2021-2726:02)

The remote MiracleLinux 8 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2021-2726:02 advisory. python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS CVE-2021-28957 Tenable has extracted the preceding description block...

EUVD-2018-6836

Malware in sbrugna...

Medium: python-lxml

Issue Overview: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this...

Silverstripe XSS In FormAction

A cross-site scripting vulnerability has been discovered in the FormAction field where a user-specified title may be specified...

GHSA-4H54-VWX9-3VR3 Silverstripe XSS In FormAction

A cross-site scripting vulnerability has been discovered in the FormAction field where a user-specified title may be specified...

Mars: Reflected XSS on formaction parameter

The formaction parameter of the target application was found to contain a reflected Cross-Site Scripting XSS vulnerability. User-supplied data was reflected back without proper sanitization, allowing for the injection of malicious JavaScript code. The issue was compounded by potential cache...

SUSE CVE-2018-14954

The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute...

SUSE CVE-2021-28957

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)

Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting XSS Exploit Author: LiquidWorm enteliTouch XSS input type="hidden" nam...

python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS

A flaw was found in python-lxml. The HTML5 formaction attribute is not input sanitized like the HTML action attribute is which can lead to a Cross-Site Scripting attack XSS when an application uses python-lxml to sanitize user inputs. The highest threat from this vulnerability is to data...

python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS

A flaw was found in python-lxml. The HTML5 formaction attribute is not input sanitized like the HTML action attribute is which can lead to a Cross-Site Scripting attack XSS when an application uses python-lxml to sanitize user inputs. The highest threat from this vulnerability is to data...

Moderate: Red Hat Security Advisory: python-lxml security update

An update for python-lxml is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fro...