GHSA-3rcm-vjrc-p45j: JustHTML Sanitizer Bypass in Markdown Serialization
Vulnerability ID: GHSA-3RCM-VJRC-P45J
CVSS Score: 5.1
Published: 2026-03-18
A sanitizer bypass vulnerability in the JustHTML Python library allows for Cross-Site Scripting (XSS) when safe, entity-encoded HTML input is improperly serialized into raw HTML tags during Markdown generation.
TL;DR
JustHTML versions prior to 1.12.0 fail to escape angle brackets during Markdown serialization. Entity-encoded HTML inputs safely parsed by the DOM are emitted as raw HTML in the Markdown output, leading to XSS if rendered downstream.
⚠️ Exploit Status: POC
Technical Details
- Vulnerability Class: Sanitizer Bypass / Cross-Site Scripting (XSS)
- CWE ID: CWE-79
- Attack Vector: Network
- Authentication Required: None
- CVSS v4.0 Score: 5.1 (Moderate)
- Exploit Maturity: Proof-of-Concept
- Affected Component: JustHTML.to_markdown()
Affected Systems
- JustHTML (PyPI Package)
-
justhtml: < 1.12.0 (Fixed in:
1.12.0)
Mitigation Strategies
- Upgrade JustHTML to version 1.12.0 or newer.
- Configure downstream Markdown renderers to strip or escape raw HTML tags.
- Implement contextual output encoding when rendering generated Markdown in web views.
Remediation Steps:
- Identify all projects utilizing the
justhtmlPython package. - Update the dependency using
pip install --upgrade justhtml==1.12.0or equivalent package manager commands. - Review the usage of
to_markdown()across the codebase to ensure downstream renderers do not unsafely execute HTML. - Deploy the updated codebase and verify functionality using the provided proof-of-concept payload.
References
Read the full report for GHSA-3RCM-VJRC-P45J on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)