CVE-2014-3146

MEDIUMNVD 6.1

6.1

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

CVSS v3: 6.1
EG Score: —
EPSS: 88.9%
KEV: Not listed

Published

May 14, 2014

Last Modified

May 6, 2026

Advisory Details (8)

Auto-updated May 7, 2026

No patch confirmed yet.

generic

[SECURITY] [DSA 2941-1] lxml security update

http://www.debian.org/security/2014/dsa-2941

generic

About Secunia Research | Flexera

http://secunia.com/advisories/59008

generic

About Secunia Research | Flexera

http://secunia.com/advisories/58744

generic

About Secunia Research | Flexera

http://secunia.com/advisories/58013

generic

Full Disclosure: Re: lxml (python lib) vulnerability

http://seclists.org/fulldisclosure/2014/Apr/319

generic

Full Disclosure: lxml (python lib) vulnerability

http://seclists.org/fulldisclosure/2014/Apr/210

generic

lxml changelog

http://lxml.de/3.3/changes-3.3.5.html

generic

Mageia Advisory: MGASA-2014-0218 - Updated python-lxml package fix CVE-2014-3146

http://advisories.mageia.org/MGASA-2014-0218.html

Frequently asked(5)

What is CVE-2014-3146?

CVE-2014-3146 is a medium vulnerability published on May 14, 2014. Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

When was CVE-2014-3146 disclosed?

CVE-2014-3146 was first published in the National Vulnerability Database on May 14, 2014, with the most recent update on May 6, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2014-3146 actively exploited?

CVE-2014-3146 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 88.9% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2014-3146?

CVE-2014-3146 has a CVSS v3 base score of 6.1 (NVD).

How do I remediate CVE-2014-3146?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2014-3146, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2014-3146

Explore →

Is Your Infrastructure Affected by CVE-2014-3146?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2014-3146

📅 Published

🔄 Last Modified

📋 Advisory Details (8)

[SECURITY] [DSA 2941-1] lxml security update

About Secunia Research | Flexera

About Secunia Research | Flexera

About Secunia Research | Flexera

Full Disclosure: Re: lxml (python lib) vulnerability

Full Disclosure: lxml (python lib) vulnerability

lxml changelog

Mageia Advisory: MGASA-2014-0218 - Updated python-lxml package fix CVE-2014-3146

❓ Frequently asked(5)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2014-3146?

Published

Last Modified

Advisory Details (8)

Frequently asked(5)