CVE-2026-28348: lxml-html-clean has CSS @import Filter Bypass via Unicode Escapes

March 2, 2026 (updated March 5, 2026)

The _has_sneaky_javascript() method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression() filters, allowing external CSS loading or XSS in older browsers.

References

github.com/advisories/GHSA-hw26-mmpg-fqfg
github.com/fedora-python/lxml_html_clean
github.com/fedora-python/lxml_html_clean/commit/2ef732667ddbc74ea59847bcf24b75809aaeed3b
github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-hw26-mmpg-fqfg
nvd.nist.gov/vuln/detail/CVE-2026-28348

Code Behaviors & Features

Detect and mitigate CVE-2026-28348 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →