Security Advisory

CVE-2026-28350

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-05 19:49:55

Last updated 2026-03-06 17:05:13

Assigner GitHub_M

State PUBLISHED

Description

lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the <base> tag passes through the default Cleaner configuration. While page_structure=True removes html, head, and title tags, there is no specific handling for <base>, allowing an attacker to inject it and hijack relative links on the page. This issue has been patched in version 0.4.4.

← Browse all CVEs View on cve.org ↗