Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
lxml_html_clean: Unchecked <base> tag allows link hijacking
DEBIAN-CVE-2026-28350
Summary
The lxml_html_clean Python library failed to properly handle the <base> tag in HTML, potentially allowing an attacker to manipulate links on a page. This is a security risk because it could be used to redirect users to malicious sites. Update to version 0.4.4 or later to fix this issue.
What to do
- Update debian lxml-html-clean to version 0.4.4-1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | lxml-html-clean | All versions | – |
| debian | lxml-html-clean | <= 0.4.4-1 | 0.4.4-1 |
Original title
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the <base> tag passes through the default Cleaner configuration. While page_str...
Original description
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the <base> tag passes through the default Cleaner configuration. While page_structure=True removes html, head, and title tags, there is no specific handling for <base>, allowing an attacker to inject it and hijack relative links on the page. This issue has been patched in version 0.4.4.
osv CVSS3.1
6.1
- https://security-tracker.debian.org/tracker/CVE-2026-28350 Vendor Advisory
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 13 Mar 2026