CVE-2021-28957

6.1 MEDIUM
Published: March 21, 2021 Modified: December 17, 2025
View on NVD

Description

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://bugs.launchpad.net/lxml/+bug/1888153
Source: cve@mitre.org
Exploit Issue Tracking Third Party Advisory
https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999
Source: cve@mitre.org
Patch Third Party Advisory
https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270
Source: cve@mitre.org
Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html
Source: cve@mitre.org
Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/
Source: cve@mitre.org
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/
Source: cve@mitre.org
https://security.gentoo.org/glsa/202208-06
Source: cve@mitre.org
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210521-0004/
Source: cve@mitre.org
Third Party Advisory
https://www.debian.org/security/2021/dsa-4880
Source: cve@mitre.org
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Source: cve@mitre.org
Patch Third Party Advisory
https://bugs.launchpad.net/lxml/+bug/1888153
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Issue Tracking Third Party Advisory
https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999
Source: af854a3a-2127-422b-91ae-364da2661108
Patch Third Party Advisory
https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270
Source: af854a3a-2127-422b-91ae-364da2661108
Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/
Source: af854a3a-2127-422b-91ae-364da2661108
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/
Source: af854a3a-2127-422b-91ae-364da2661108
https://security.gentoo.org/glsa/202208-06
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210521-0004/
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://www.debian.org/security/2021/dsa-4880
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Source: af854a3a-2127-422b-91ae-364da2661108
Patch Third Party Advisory

20 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.1 / 10.0
EPSS (Exploit Probability)
0.5%
65th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79 CWE-79

Affected Vendors

debian fedoraproject oracle lxml netapp

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3