{"id":"CVE-2021-28957","details":"An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.","aliases":["GHSA-jq4v-f5q6-mjqq","PYSEC-2021-19"],"modified":"2026-04-10T04:31:51.730480Z","published":"2021-03-21T05:15:13.367Z","related":["ALSA-2021:4151","ALSA-2021:4158","ALSA-2021:4160","ALSA-2021:4162","MGASA-2021-0246","SUSE-FU-2022:0444-1","SUSE-FU-2022:0445-1","SUSE-SU-2022:0803-1","SUSE-SU-2022:0895-1","SUSE-SU-2022:1536-1","SUSE-SU-2022:1729-1","SUSE-SU-2022:3836-1","SUSE-SU-2022:3934-1","SUSE-SU-2022:3937-1","openSUSE-SU-2022:0803-1","openSUSE-SU-2024:11236-1","openSUSE-SU-2024:11473-1","openSUSE-SU-2025:14647-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202208-06"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210521-0004/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4880"},{"type":"REPORT","url":"https://bugs.launchpad.net/lxml/+bug/1888153"},{"type":"FIX","url":"https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999"},{"type":"FIX","url":"https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lxml/lxml","events":[{"introduced":"0"},{"fixed":"a5f9cb52079dc57477c460dbe6ba0f775e14a999"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.6.3"}]}}],"versions":["lxml-0.5.1","lxml-0.6","lxml-0.7","lxml-0.9","lxml-1.0","lxml-1.0.beta","lxml-1.1","lxml-1.1alpha","lxml-1.1beta","lxml-1.2","lxml-2.0","lxml-2.0.1","lxml-2.0alpha1","lxml-2.0alpha2","lxml-2.0alpha3","lxml-2.0alpha4","lxml-2.0alpha5","lxml-2.0alpha6","lxml-2.0beta1","lxml-2.0beta2","lxml-2.1","lxml-2.1alpha1","lxml-2.1beta1","lxml-2.1beta2","lxml-2.1beta3","lxml-2.2","lxml-2.2.1","lxml-2.2.2","lxml-2.3","lxml-2.3.1","lxml-2.3alpha1","lxml-2.3alpha2","lxml-2.3beta1","lxml-3.0","lxml-3.0.1","lxml-3.0alpha1","lxml-3.0alpha2","lxml-3.0beta1","lxml-3.1.0","lxml-3.1.1","lxml-3.1beta1","lxml-3.2.0","lxml-3.2.1","lxml-3.2.2","lxml-3.2.3","lxml-3.3.0","lxml-3.3.0beta1","lxml-3.3.0beta2","lxml-3.3.0beta3","lxml-3.3.0beta4","lxml-3.3.0beta5","lxml-3.3.1","lxml-3.3.2","lxml-3.3.3","lxml-3.4.0","lxml-3.4.0beta1","lxml-3.4.1","lxml-3.5.0","lxml-3.5.0b1","lxml-3.6.0","lxml-3.6.1","lxml-3.7.0","lxml-3.7.1","lxml-3.7.2","lxml-3.8.0","lxml-3.8.0-py27fix","lxml-4.0.0","lxml-4.1.0","lxml-4.1.1","lxml-4.2.0","lxml-4.2.1","lxml-4.2.2","lxml-4.3.0","lxml-4.3.1","lxml-4.3.2","lxml-4.4.0","lxml-4.4.1","lxml-4.5.0","lxml-4.5.1","lxml-4.5.2","lxml-4.6.0","lxml-4.6.1","lxml-4.6.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-28957.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}