{"id":"CVE-2021-43818","details":"lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.","aliases":["GHSA-55x5-fj6c-h6m8","PYSEC-2021-852"],"modified":"2026-04-16T04:38:18.791790635Z","published":"2021-12-13T18:15:08.387Z","related":["ALSA-2022:1763","ALSA-2022:1764","ALSA-2022:1821","ALSA-2022:1932","GHSA-55x5-fj6c-h6m8","SUSE-SU-2022:0803-1","SUSE-SU-2022:0895-1","SUSE-SU-2022:1729-1","openSUSE-SU-2022:0803-1","openSUSE-SU-2024:11713-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/"},{"type":"ADVISORY","url":"https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202208-06"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220107-0005/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5043"},{"type":"FIX","url":"https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776"},{"type":"FIX","url":"https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0"},{"type":"FIX","url":"https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lxml/lxml","events":[{"introduced":"0"},{"fixed":"a9611ba80bc5196c1dd07a0b1964fcb603695d63"},{"fixed":"12fa9669007180a7bb87d990c375cf91ca5b664a"},{"fixed":"a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c"},{"fixed":"f2330237440df7e8f39c3ad1b1aa8852be3b27c0"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.6.5"}]}}],"versions":["lxml-0.5.1","lxml-0.6","lxml-0.7","lxml-0.9","lxml-1.0","lxml-1.0.beta","lxml-1.1","lxml-1.1alpha","lxml-1.1beta","lxml-1.2","lxml-2.0","lxml-2.0.1","lxml-2.0alpha1","lxml-2.0alpha2","lxml-2.0alpha3","lxml-2.0alpha4","lxml-2.0alpha5","lxml-2.0alpha6","lxml-2.0beta1","lxml-2.0beta2","lxml-2.1","lxml-2.1alpha1","lxml-2.1beta1","lxml-2.1beta2","lxml-2.1beta3","lxml-2.2","lxml-2.2.1","lxml-2.2.2","lxml-2.3","lxml-2.3.1","lxml-2.3alpha1","lxml-2.3alpha2","lxml-2.3beta1","lxml-3.0","lxml-3.0.1","lxml-3.0alpha1","lxml-3.0alpha2","lxml-3.0beta1","lxml-3.1.0","lxml-3.1.1","lxml-3.1beta1","lxml-3.2.0","lxml-3.2.1","lxml-3.2.2","lxml-3.2.3","lxml-3.3.0","lxml-3.3.0beta1","lxml-3.3.0beta2","lxml-3.3.0beta3","lxml-3.3.0beta4","lxml-3.3.0beta5","lxml-3.3.1","lxml-3.3.2","lxml-3.3.3","lxml-3.4.0","lxml-3.4.0beta1","lxml-3.4.1","lxml-3.5.0","lxml-3.5.0b1","lxml-3.6.0","lxml-3.6.1","lxml-3.7.0","lxml-3.7.1","lxml-3.7.2","lxml-3.8.0","lxml-3.8.0-py27fix","lxml-4.0.0","lxml-4.1.0","lxml-4.1.1","lxml-4.2.0","lxml-4.2.1","lxml-4.2.2","lxml-4.3.0","lxml-4.3.1","lxml-4.3.2","lxml-4.4.0","lxml-4.4.1","lxml-4.5.0","lxml-4.5.1","lxml-4.5.2","lxml-4.6.0","lxml-4.6.1","lxml-4.6.2","lxml-4.6.3","lxml-4.6.4","lxml-4.6.4-1","lxml-4.6.4-2","lxml-4.6.4-3","lxml-4.6.4-4","lxml-4.6.4-5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43818.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"35"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"22.1.3"}]},{"events":[{"introduced":"0"},{"last_affected":"22.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"}]}