Medium severity6.1NVD Advisory· Published May 14, 2014· Updated Jun 17, 2026
CVE-2014-3146
CVE-2014-3146
Description
Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lxmlPyPI | < 3.3.5 | 3.3.5 |
Affected products
96cpe:2.3:a:lxml:lxml:*:*:*:*:*:*:*:*+ 94 more
- cpe:2.3:a:lxml:lxml:*:*:*:*:*:*:*:*range: <=3.3.4
- cpe:2.3:a:lxml:lxml:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:0.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:0.6:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:0.7:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:0.8:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:0.9:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:1.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.1:alpha1:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.1:beta1:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.1:beta2:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.1:beta3:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.2:-:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.2:alpha1:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.2:beta1:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.2:beta2:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.2:beta3:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.2:beta4:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.3:-:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.3:alpha1:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.3:alpha2:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:2.3:beta1:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.0:-:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.1:beta1:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.3.0:-:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.3.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.3.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.3.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.3.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.3.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:lxml:lxml:3.3.3:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
27- seclists.org/fulldisclosure/2014/Apr/319nvdExploitWEB
- www.securityfocus.com/bid/67159nvdExploit
- mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.htmlnvdExploitWEB
- secunia.com/advisories/58013nvdVendor Advisory
- github.com/advisories/GHSA-57qw-cc2g-pv5pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-3146ghsaADVISORY
- advisories.mageia.org/MGASA-2014-0218.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2014-05/msg00083.htmlnvdWEB
- lxml.de/3.3/changes-3.3.5.htmlnvdWEB
- seclists.org/fulldisclosure/2014/Apr/210nvdWEB
- www.debian.org/security/2014/dsa-2941nvdWEB
- www.openwall.com/lists/oss-security/2014/05/09/7nvdWEB
- www.ubuntu.com/usn/USN-2217-1nvdWEB
- github.com/lxml/lxml/commit/3f3082e0a67851cde26a48da3d1f4b75d8aa07ecghsaWEB
- github.com/lxml/lxml/commit/86e81ab393ba14c1be71284675851a3bdce57d69ghsaWEB
- github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1ccghsaWEB
- github.com/lxml/lxml/pull/273ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2014-9.yamlghsaWEB
- web.archive.org/web/20140724172044/http://secunia.com/advisories/58013ghsaWEB
- web.archive.org/web/20140805110535/http://secunia.com/advisories/59008ghsaWEB
- web.archive.org/web/20140806061046/http://secunia.com/advisories/58744ghsaWEB
- web.archive.org/web/20141017122607/https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.htmlghsaWEB
- web.archive.org/web/20150523055039/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:112/ghsaWEB
- web.archive.org/web/20200228180542/http://www.securityfocus.com/bid/67159ghsaWEB
- secunia.com/advisories/58744nvd
- secunia.com/advisories/59008nvd
- www.mandriva.com/security/advisoriesnvd
News mentions
0No linked articles in our index yet.