CVE-2021-43818
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-43818
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43818.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-43818
- Aliases
- Downstream
- Related
- Published
- 2021-12-13T18:15:08Z
- Modified
- 2025-10-08T04:55:12.519047Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L CVSS Calculator
- Summary
- [none]
- Details
-
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.
- References
-
- https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
- https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
- https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
- https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
- https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html
- https://security.gentoo.org/glsa/202208-06
- https://security.netapp.com/advisory/ntap-20220107-0005/
- https://www.debian.org/security/2022/dsa-5043
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/
Affected packages
Git / github.com/lxml/lxml
Affected ranges
- Type
- GIT
- Repo
- https://github.com/lxml/lxml
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixed
Affected versions
lxml-0.*
lxml-0.5.1
lxml-0.6
lxml-0.7
lxml-0.9
lxml-1.*
lxml-1.0
lxml-1.0.beta
lxml-1.1
lxml-1.1alpha
lxml-1.1beta
lxml-1.2
lxml-2.*
lxml-2.0
lxml-2.0.1
lxml-2.0alpha1
lxml-2.0alpha2
lxml-2.0alpha3
lxml-2.0alpha4
lxml-2.0alpha5
lxml-2.0alpha6
lxml-2.0beta1
lxml-2.0beta2
lxml-2.1
lxml-2.1alpha1
lxml-2.1beta1
lxml-2.1beta2
lxml-2.1beta3
lxml-2.2
lxml-2.2.1
lxml-2.2.2
lxml-2.3
lxml-2.3.1
lxml-2.3.2
lxml-2.3.3
lxml-2.3.4
lxml-2.3.5
lxml-2.3.6
lxml-2.3alpha1
lxml-2.3alpha2
lxml-2.3beta1
lxml-3.*
lxml-3.0
lxml-3.0.1
lxml-3.0.2
lxml-3.0alpha1
lxml-3.0alpha2
lxml-3.0beta1
lxml-3.1.0
lxml-3.1.1
lxml-3.1.2
lxml-3.1beta1
lxml-3.2.0
lxml-3.2.1
lxml-3.2.2
lxml-3.2.3
lxml-3.2.4
lxml-3.2.5
lxml-3.3.0
lxml-3.3.0beta1
lxml-3.3.0beta2
lxml-3.3.0beta3
lxml-3.3.0beta4
lxml-3.3.0beta5
lxml-3.3.1
lxml-3.3.2
lxml-3.3.3
lxml-3.3.4
lxml-3.3.5
lxml-3.3.6
lxml-3.4.0
lxml-3.4.0beta1
lxml-3.4.1
lxml-3.4.2
lxml-3.4.3
lxml-3.4.4
lxml-3.5.0
lxml-3.5.0b1
lxml-3.6.0
lxml-3.6.1
lxml-3.6.2
lxml-3.6.3
lxml-3.6.4
lxml-3.7.0
lxml-3.7.1
lxml-3.7.2
lxml-3.8.0
lxml-3.8.0-py27fix
lxml-4.*
lxml-4.0.0
lxml-4.1.0
lxml-4.1.1
lxml-4.2.0
lxml-4.2.1
lxml-4.2.2
lxml-4.2.3
lxml-4.2.3-win
lxml-4.2.4
lxml-4.2.5
lxml-4.2.6
lxml-4.2.6-win1
lxml-4.3.0
lxml-4.3.1
lxml-4.3.2
lxml-4.3.3
lxml-4.3.4
lxml-4.3.5
lxml-4.4.0
lxml-4.4.1
lxml-4.4.2
lxml-4.4.3
lxml-4.5.0
lxml-4.5.1
lxml-4.5.2
lxml-4.6.0
lxml-4.6.1
lxml-4.6.2
lxml-4.6.3
lxml-4.6.4
lxml-4.6.4-1
lxml-4.6.4-2
lxml-4.6.4-3
lxml-4.6.4-4
lxml-4.6.4-5