SB2026060815 - Multiple vulnerabilities in Bleach
Published: June 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Incomplete List of Disallowed Inputs (CVE-ID: N/A)
CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass URI scheme restrictions in sanitized output.
The vulnerability exists due to incomplete list of disallowed inputs in bleach.clean when sanitizing anchor tags with href attributes containing crafted URI schemes with Unicode characters above U+00A0. A remote attacker can supply specially crafted HTML content to bypass URI scheme restrictions in sanitized output.
This issue is not a direct cross-site scripting vulnerability in modern browsers, but downstream Unicode normalization before rendering could make the disallowed scheme valid.
2) Inefficient regular expression complexity (CVE-ID: N/A)
CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to inefficient regular expression complexity in LinkifyFilter.handle_email_addresses() and EMAIL_RE processing in bleach/linkifier.py when parsing attacker-controlled text with email linkification enabled. A remote user can submit specially crafted text to cause a denial of service.
Only applications that enable parse_email=True on untrusted text are affected.
3) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting in Bleach clean() / Cleaner() sanitization of allowed formaction attributes when sanitizing untrusted HTML that includes submit-capable controls with allowed formaction attributes. A remote attacker can supply crafted HTML containing a dangerous javascript: URI in a formaction attribute to execute arbitrary script in the victim's browser.
User interaction is required to activate the affected submit control, and only configurations that explicitly allow the relevant tag and attribute combination are vulnerable.
Remediation
Install update from vendor's website.
References
- https://github.com/mozilla/bleach/security/advisories/GHSA-8rfp-98v4-mmr6
- https://bugzilla.mozilla.org/show_bug.cgi?id=2023812
- https://github.com/mozilla/bleach/security/advisories/GHSA-g75f-g53v-794x
- https://github.com/mozilla/bleach/blob/v6.3.0/bleach/linkifier.py
- https://github.com/mozilla/bleach/security/advisories/GHSA-gj48-438w-jh9v