GHSA-p5j5-4j3q-8mq8Medium

TYPO3 HTML Sanitizer allows Cross-site Scripting

Published
June 12, 2026
Last Modified
June 12, 2026

🔗 CVE IDs covered (1)

📋 Description

Namespace attributes are not encoded correctly during HTML serialization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.

Credits to Doyensec in collaboration with Claude and Anthropic Research for reporting this vulnerability.

🎯 Affected products1

  • composer/typo3/html-sanitizer:< 2.3.2

🔗 References (6)