Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
Lxml_html_clean: CSS Loading or XSS in Older Browsers
UBUNTU-CVE-2026-28348
Summary
If you're using an older version of lxml_html_clean to clean HTML, attackers can load malicious CSS or cause cross-site scripting attacks in older browsers. Update to version 0.4.4 to fix this issue. If an update isn't possible, consider using a different HTML cleaning tool to ensure your website is secure.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| canonical | lxml-html-clean | All versions | – |
| canonical | lxml-html-clean | All versions | – |
Original title
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dang...
Original description
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression() filters, allowing external CSS loading or XSS in older browsers. This issue has been patched in version 0.4.4.
osv CVSS3.1
6.1
- https://ubuntu.com/security/CVE-2026-28348 Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2026-28348 Third Party Advisory
- https://github.com/fedora-python/lxml_html_clean/commit/2ef732667ddbc74ea59847bc... Third Party Advisory
- https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-hw26-m... Third Party Advisory
Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026