VDB
CISA-2014-3146
CISA-2014-3146
PUBLISHED
CVSS 6.1 MEDIUM
Reported by redhat · Published May 14, 2014
Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
Risk Scores
CVSS 3.1
6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| n/a | n/a | *, * |
Timeline
- May 14, 2014 CVE Published
- Dec 17, 2025 CVE Updated
- Mar 26, 2026 Distribution Patch
- Mar 26, 2026 Distribution Patch
- Mar 26, 2026 Security Advisory
- Mar 26, 2026 Security Advisory
References
- DSA-2941 vendor-advisoryx_refsource_DEBIAN
- x_refsource_CONFIRM
- [oss-security] 20140509 Re: CVE request: python-lxml clean_html() input sanitization flaw mailing-listx_refsource_MLIST
- USN-2217-1 vendor-advisoryx_refsource_UBUNTU
- [lxml] 20140415 lxml.html.clean vulnerability mailing-listx_refsource_MLIST
- 58744 third-party-advisoryx_refsource_SECUNIA
- x_refsource_CONFIRM
- 67159 vdb-entryx_refsource_BID
- MDVSA-2015:112 vendor-advisoryx_refsource_MANDRIVA
- 58013 third-party-advisoryx_refsource_SECUNIA
- 20140415 lxml (python lib) vulnerability mailing-listx_refsource_FULLDISC
- 59008 third-party-advisoryx_refsource_SECUNIA
- openSUSE-SU-2014:0735 vendor-advisoryx_refsource_SUSE
- 20140430 Re: lxml (python lib) vulnerability mailing-listx_refsource_FULLDISC