Description

lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the <base> tag passes through the default Cleaner configuration. While page_structure=True removes html, head, and title tags, there is no specific handling for <base>, allowing an attacker to inject it and hijack relative links on the page. This issue has been patched in version 0.4.4.

INFO

Published Date :

2026-03-05T19:49:55.662Z

Last Modified :

2026-03-06T17:05:13.841Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28350 vulnerability.

Vendors Products
Fedora-python
  • Lxml Html Clean
Fedoralovespython
  • Lxml Html Clean
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28350.

URL Resource
https://github.com/fedora-python/lxml_html_clean/commit/9c5612ca33b941eec4178abf8a5294b103403f34 cve-icon cve-icon
https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-xvp8-3mhv-424c cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact