CVE-2021-43818

HTML Cleaner allows crafted and SVG embedded scripts to pass through

Description

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

Categories

8.2
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 2.86% Top 15%
Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory debian.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory gentoo.org
Affected: lxml lxml
Published at:
Updated at:

References

Link Tags
https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8 third party advisory
https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a third party advisory patch
https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776 third party advisory patch
https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0 third party advisory patch
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/ vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/ vendor advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html third party advisory mailing list
https://www.debian.org/security/2022/dsa-5043 third party advisory vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/ vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/ vendor advisory
https://www.oracle.com/security-alerts/cpuapr2022.html third party advisory patch
https://security.netapp.com/advisory/ntap-20220107-0005/ third party advisory
https://www.oracle.com/security-alerts/cpujul2022.html third party advisory patch
https://security.gentoo.org/glsa/202208-06 third party advisory vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-43818?
CVE-2021-43818 has been scored as a high severity vulnerability.
How to fix CVE-2021-43818?
To fix CVE-2021-43818, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-43818 being actively exploited in the wild?
It is possible that CVE-2021-43818 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~3% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-43818?
CVE-2021-43818 affects lxml lxml.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.