Most recent sightings.

Most recent sightings. https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Thu, 18 Jun 2026 13:28:31 +0000 9709d6d9-1a13-4289-b966-723c634bb089 https://vulnerability.circl.lu/sighting/9709d6d9-1a13-4289-b966-723c634bb089/export {"uuid": "9709d6d9-1a13-4289-b966-723c634bb089", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-8RFP-98V4-MMR6", "type": "seen", "source": "https://gist.github.com/alon710/e8893a7e1e93a2bc7611803f8c648ff8", "content": "# GHSA-8RFP-98V4-MMR6: GHSA-8RFP-98V4-MMR6: Protocol-Filtering Bypass via Unicode Obfuscation in Mozilla Bleach\n\n> **CVSS Score:** 0.0\n> **Published:** 2026-06-16\n> **Full Report:** https://cvereports.com/reports/GHSA-8RFP-98V4-MMR6\n\n## Summary\nMozilla Bleach is an open-source HTML sanitizing library for Python. Versions up to and including 6.3.0 contain an incomplete filtering implementation in the URI validation logic ('sanitize_uri_value'). This logic fails to detect disallowed protocols, such as 'javascript:', if they contain Unicode invisible characters, whitespace characters, or characters with a code point greater than U+00A0. While standard-compliant web browsers do not directly execute invalid URI schemes containing these non-standard characters, downstream systems that normalize Unicode text by stripping invisible or non-ASCII characters can unintentionally reactivate the 'javascript:' prefix, causing Cross-Site Scripting (XSS). Additionally, this behavior violates Bleach's core sanitization contract by outputting URIs that bypass protocol allowlists configured by the caller.\n\n## TL;DR\nMozilla Bleach versions up to 6.3.0 fail to sanitize URLs containing high-plane Unicode or invisible characters in the scheme prefix. This allows blocked protocols like 'javascript:' to bypass sanitization filters, creating stored Cross-Site Scripting (XSS) risks in downstream environments that normalize or strip Unicode data.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-184 (Incomplete List of Disallowed Inputs)\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 0.0 (Low due to indirect downstream dependency)\n- **Impact**: Bypass of protocol validation filters / Secondary stored XSS\n- **Exploit Status**: Proof-of-Concept (PoC) available\n- **KEV Status**: Not listed in CISA KEV\n\n## Affected Systems\n\n- Mozilla Bleach <= 6.3.0\n- **bleach**: <= 6.3.0 (Fixed in: `6.4.0`)\n\n## Mitigation\n\n- Upgrade to Mozilla Bleach version 6.4.0.\n- Migrate from the deprecated Bleach library to active alternatives such as nh3.\n- Preprocess untrusted strings to remove high-plane Unicode whitespace and invisible characters before passing them to the sanitizer.\n- Deploy a strong Content Security Policy (CSP) restricting 'unsafe-inline' scripts.\n\n**Remediation Steps:**\n1. Locate and audit your application's dependencies for 'bleach' configurations.\n2. Upgrade Bleach to 6.4.0: 'pip install bleach==6.4.0'.\n3. If utilizing a downstream processor or database normalization, ensure characters are normalized before validation rather than after.\n4. Transition application codebase to 'nh3' for ongoing security support and HTML sanitization.\n\n## References\n\n- [GitHub Advisory Database Advisory](https://github.com/advisories/GHSA-8RFP-98V4-MMR6)\n- [Mozilla Bugzilla #2023812](https://bugzilla.mozilla.org/show_bug.cgi?id=2023812)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-8RFP-98V4-MMR6) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-16T17:11:34.000000Z"} {"uuid": "9709d6d9-1a13-4289-b966-723c634bb089", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-8RFP-98V4-MMR6", "type": "seen", "source": "https://gist.github.com/alon710/e8893a7e1e93a2bc7611803f8c648ff8", "content": "# GHSA-8RFP-98V4-MMR6: GHSA-8RFP-98V4-MMR6: Protocol-Filtering Bypass via Unicode Obfuscation in Mozilla Bleach\n\n> **CVSS Score:** 0.0\n> **Published:** 2026-06-16\n> **Full Report:** https://cvereports.com/reports/GHSA-8RFP-98V4-MMR6\n\n## Summary\nMozilla Bleach is an open-source HTML sanitizing library for Python. Versions up to and including 6.3.0 contain an incomplete filtering implementation in the URI validation logic ('sanitize_uri_value'). This logic fails to detect disallowed protocols, such as 'javascript:', if they contain Unicode invisible characters, whitespace characters, or characters with a code point greater than U+00A0. While standard-compliant web browsers do not directly execute invalid URI schemes containing these non-standard characters, downstream systems that normalize Unicode text by stripping invisible or non-ASCII characters can unintentionally reactivate the 'javascript:' prefix, causing Cross-Site Scripting (XSS). Additionally, this behavior violates Bleach's core sanitization contract by outputting URIs that bypass protocol allowlists configured by the caller.\n\n## TL;DR\nMozilla Bleach versions up to 6.3.0 fail to sanitize URLs containing high-plane Unicode or invisible characters in the scheme prefix. This allows blocked protocols like 'javascript:' to bypass sanitization filters, creating stored Cross-Site Scripting (XSS) risks in downstream environments that normalize or strip Unicode data.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-184 (Incomplete List of Disallowed Inputs)\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 0.0 (Low due to indirect downstream dependency)\n- **Impact**: Bypass of protocol validation filters / Secondary stored XSS\n- **Exploit Status**: Proof-of-Concept (PoC) available\n- **KEV Status**: Not listed in CISA KEV\n\n## Affected Systems\n\n- Mozilla Bleach <= 6.3.0\n- **bleach**: <= 6.3.0 (Fixed in: `6.4.0`)\n\n## Mitigation\n\n- Upgrade to Mozilla Bleach version 6.4.0.\n- Migrate from the deprecated Bleach library to active alternatives such as nh3.\n- Preprocess untrusted strings to remove high-plane Unicode whitespace and invisible characters before passing them to the sanitizer.\n- Deploy a strong Content Security Policy (CSP) restricting 'unsafe-inline' scripts.\n\n**Remediation Steps:**\n1. Locate and audit your application's dependencies for 'bleach' configurations.\n2. Upgrade Bleach to 6.4.0: 'pip install bleach==6.4.0'.\n3. If utilizing a downstream processor or database normalization, ensure characters are normalized before validation rather than after.\n4. Transition application codebase to 'nh3' for ongoing security support and HTML sanitization.\n\n## References\n\n- [GitHub Advisory Database Advisory](https://github.com/advisories/GHSA-8RFP-98V4-MMR6)\n- [Mozilla Bugzilla #2023812](https://bugzilla.mozilla.org/show_bug.cgi?id=2023812)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-8RFP-98V4-MMR6) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-16T17:11:34.000000Z"} https://vulnerability.circl.lu/sighting/9709d6d9-1a13-4289-b966-723c634bb089/export Tue, 16 Jun 2026 17:11:34 +0000