VDB

GCVE-VVD-MAGEIA-2021-246

GCVE-VVD-MAGEIA-2021-246
Advisory Published
Vulnetix · Advisory published June 13, 2021
An XSS vulnerability was discovered in python-lxml’s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML (CVE-2021-28957).
Download JSON Open in Console

Affected Products

VendorProductVersionsPlatforms
Mageiapython-lxml0 (affected), 4.3.0-1.3.mga7 (unaffected)
Mageiapython-lxml0 (affected), 4.6.3-1.mga8 (unaffected)

References

Updated python-lxml packages fix a security vulnerability
advisory
Updated python-lxml packages fix a security vulnerability
issue
Updated python-lxml packages fix a security vulnerability
issue
Updated python-lxml packages fix a security vulnerability
advisory
Updated python-lxml packages fix a security vulnerability
advisory

Browse GCVE Records

100 records in the GCVE database · Updated April 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

Open in Console Download JSON
$ Console Community · 100/wk Open console ›