GHSA-jhhc-3hcp-qhm5MediumCVSS 6.5

WeasyPrint has CSS Injection via Presentational Hints

Published
July 6, 2026
Last Modified
July 6, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

A CSS injection issue exists in WeasyPrint when HTML presentational hints are enabled. Unescaped attribute values are embedded into CSS, allowing injection of arbitrary CSS declarations. This affects applications processing untrusted HTML input.

Details

File: weasyprint/css/init.py

The background attribute is used to construct CSS:

background-image:url({element.get("background")})

This string is parsed by tinycss2.parse_blocks_contents().

Because the value is not escaped, additional CSS declarations can be injected.

PoC

Impact

  • CSS injection
  • Server-side requests via injected url()
  • Limited to cases where presentational_hints=True

Suggested Fix

🎯 Affected products1

  • pip/weasyprint:<= 68.1

🔗 References (2)