GHSA-4p64-v8f5-r2gx: Multiple security fixes in justhtml

April 14, 2026

justhtml 1.16.0 fixes multiple security issues in sanitization, serialization, and programmatic DOM handling.

Most of these issues affected one of these advanced paths rather than ordinary parsed HTML with the default safe settings:

programmatic DOM input to sanitize() or sanitize_dom()
reused or mutated sanitization policy objects
custom policies that preserve foreign namespaces such as SVG or MathML

References

github.com/EmilStenstrom/justhtml
github.com/EmilStenstrom/justhtml/security/advisories/GHSA-4p64-v8f5-r2gx
github.com/advisories/GHSA-4p64-v8f5-r2gx

Code Behaviors & Features

Detect and mitigate GHSA-4p64-v8f5-r2gx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →