CVE-2026-28350: Lxml Html Clean Missing Base Tag
The HTML cleaner fails to reliably remove `<base>` tags when removing `<head>` tags. This omission allows attackers to inject rogue `<base>` elements that bypass sanitization, potentially hijacking relative URLs and triggering cross-site scripting (XSS) or malicious redirects upon rendering.
Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0
Python
Pythongreprules fetch cve-2026-28350-lxml-html-clean-missing-base-tag --engine opengrepDescription
The HTML cleaner fails to reliably remove `<base>` tags when removing `<head>` tags. This omission allows attackers to inject rogue `<base>` elements that bypass sanitization, potentially hijacking relative URLs and triggering cross-site scripting (XSS) or malicious redirects upon rendering.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0