Bug 2444968 (CVE-2026-28348)

Summary: CVE-2026-28348 lxml_html_clean: lxml_html_clean: Cross-Site Scripting (XSS) via CSS filter bypass
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in lxml_html_clean. The `_has_sneaky_javascript()` method incorrectly strips backslashes before checking for dangerous CSS keywords. This allows CSS Unicode escape sequences to bypass `@import` and `expression()` filters. A remote attacker could exploit this to achieve external CSS loading or Cross-Site Scripting (XSS) in older browsers, potentially leading to arbitrary script execution in the context of the user's browser.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2444970    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-05 21:02:17 UTC 
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression() filters, allowing external CSS loading or XSS in older browsers. This issue has been patched in version 0.4.4.