Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
lxml_html_clean: Malicious CSS Can Bypass Security Filters
DEBIAN-CVE-2026-28348
Summary
If you're using an older version of lxml_html_clean, an attacker could load malicious styles or code into your website, potentially allowing them to steal data or take control of your site. Update to version 0.4.4 or later to fix this issue.
What to do
- Update debian lxml-html-clean to version 0.4.4-1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | lxml-html-clean | All versions | – |
| debian | lxml-html-clean | <= 0.4.4-1 | 0.4.4-1 |
Original title
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dang...
Original description
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression() filters, allowing external CSS loading or XSS in older browsers. This issue has been patched in version 0.4.4.
osv CVSS3.1
6.1
- https://security-tracker.debian.org/tracker/CVE-2026-28348 Vendor Advisory
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 13 Mar 2026