VYPR
Moderate severityNVD Advisory· Published Mar 21, 2021· Updated Dec 17, 2025

CVE-2021-28957

CVE-2021-28957

Description

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
lxmlPyPI
< 4.6.34.6.3

Affected products

198

Patches

Vulnerability mechanics

References

19

News mentions

0

No linked articles in our index yet.