DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-QVC2-MG72-JJHX: GHSA-qvc2-mg72-jjhx: Mutation XSS (mXSS) in justhtml HTML Serializer

#security #cve #cybersecurity #ghsa

GHSA-qvc2-mg72-jjhx: Mutation XSS (mXSS) in justhtml HTML Serializer

Vulnerability ID: GHSA-QVC2-MG72-JJHX
CVSS Score: 5.3
Published: 2026-03-18

The justhtml Python library prior to version 1.12.0 contains a Cross-Site Scripting (XSS) vulnerability due to flawed HTML serialization logic. The serializer preserves the literal text content of raw-text elements like script and style to maintain round-trip fidelity. If an application uses a custom sanitization policy that permits these elements, an attacker can supply closing tag sequences to break out of the context and execute arbitrary JavaScript in the victim's browser.

TL;DR

justhtml versions prior to 1.12.0 are vulnerable to Mutation XSS when configured with custom sanitization policies allowing or <style> tags, enabling arbitrary JavaScript execution via unescaped closing tags.</p> <hr> <h3> <a name="exploit-status-poc" href="#exploit-status-poc" class="anchor"> </a> ⚠️ Exploit Status: POC </h3> <h2> <a name="technical-details" href="#technical-details" class="anchor"> </a> Technical Details </h2> <ul> <li><strong>CWE ID</strong>: CWE-79</li> <li><strong>Attack Vector</strong>: Network</li> <li><strong>CVSS Base Score</strong>: 5.3</li> <li><strong>Exploit Status</strong>: PoC Available</li> <li><strong>Impact</strong>: Cross-Site Scripting (XSS)</li> <li><strong>Patch Status</strong>: Fixed in 1.12.0</li> </ul> <h2> <a name="affected-systems" href="#affected-systems" class="anchor"> </a> Affected Systems </h2> <ul> <li>justhtml HTML serialization library</li> <li>Python applications utilizing custom justhtml SanitizationPolicy configurations</li> <li><strong>justhtml</strong>: &lt; 1.12.0 (Fixed in: <code>1.12.0</code>)</li> </ul> <h2> <a name="mitigation-strategies" href="#mitigation-strategies" class="anchor"> </a> Mitigation Strategies </h2> <ul> <li>Upgrade justhtml to version 1.12.0 or later.</li> <li>Ensure custom SanitizationPolicy configurations do not permit script or style elements.</li> </ul> <p><strong>Remediation Steps:</strong></p> <ol> <li>Identify projects using justhtml as a dependency.</li> <li>Update the package requirements to justhtml&gt;=1.12.0.</li> <li>Verify test suites pass with the updated serializer behavior.</li> <li>If upgrading is impossible, audit all SanitizationPolicy instances to confirm script and style are absent from allowed_tags.</li> </ol> <h2> <a name="references" href="#references" class="anchor"> </a> References </h2> <ul> <li><a href="https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-qvc2-mg72-jjhx">GitHub Advisory GHSA-qvc2-mg72-jjhx</a></li> <li><a href="https://github.com/EmilStenstrom/justhtml">justhtml Package Repository</a></li> <li><a href="https://raw.githubusercontent.com/EmilStenstrom/justhtml/main/CHANGELOG.md">justhtml Changelog</a></li> <li><a href="https://osv.dev/vulnerability/GHSA-qvc2-mg72-jjhx">OSV Vulnerability Database Entry</a></li> <li><a href="https://github.com/EmilStenstrom/justhtml/blob/main/docs/sanitization.md">JustHTML Sanitization Documentation</a></li> </ul> <hr> <p><em><a href="https://cvereports.com/reports/GHSA-QVC2-MG72-JJHX">Read the full report for GHSA-QVC2-MG72-JJHX on our website</a> for more details including interactive diagrams and full exploit analysis.</em></p>

Top comments (0)