bleach

PyPI5 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting bleachpage 1 of 1

CVE-2018-7753CRITICALCVSS 9.8✓ Fixed in 2.1.3
2018-03-07
vulnerable: 2.1, 2.1.1, 2.1.2
An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme t…
CVE-2020-6802MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.1.1
2020-03-24
vulnerable: 0.1 ... 3.1.0 (41 versions)
In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
CVE-2020-6816MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.1.2
2020-03-24
vulnerable: 0.1 ... 3.1.1 (42 versions)
In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.
CVE-2020-6817HIGHCVSS 7.5EG 7.5✓ Fixed in 3.1.4
2023-02-16
vulnerable: 0.1 ... 3.1.3 (44 versions)
bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(...…
CVE-2021-23980MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.3.0
2023-02-16
vulnerable: 0.1 ... 3.2.3 (50 versions)
A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=F…

Check whether bleach is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for bleach CVEs against the assets you own.

Start Free Scan →