Advisory Database
  • Advisories
  • Dependency Scanning
  1. pypi
  2. ›
  3. weasyprint
  4. ›
  5. CVE-2026-49452

CVE-2026-49452: WeasyPrint has CSS Injection via Presentational Hints

July 6, 2026

A CSS injection issue exists in WeasyPrint when HTML presentational hints are enabled. Unescaped attribute values are embedded into CSS, allowing injection of arbitrary CSS declarations. This affects applications processing untrusted HTML input.

References

  • github.com/Kozea/WeasyPrint/security/advisories/GHSA-jhhc-3hcp-qhm5
  • github.com/advisories/GHSA-jhhc-3hcp-qhm5
  • nvd.nist.gov/vuln/detail/CVE-2026-49452

Code Behaviors & Features

Detect and mitigate CVE-2026-49452 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions up to 68.1.0

Solution

Unfortunately, there is no solution available yet.

Impact 6.5 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Learn more about CVSS

Weakness

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Source file

pypi/weasyprint/CVE-2026-49452.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Tue, 07 Jul 2026 12:17:28 +0000.