Incomplete List of Disallowed Inputs in Bleach - #VU133464
Published: June 8, 2026
Vulnerability identifier: #VU133464
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-184
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mozilla
Affected software:
Bleach
Bleach
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass URI scheme restrictions in sanitized output.
The vulnerability exists due to incomplete list of disallowed inputs in bleach.clean when sanitizing anchor tags with href attributes containing crafted URI schemes with Unicode characters above U+00A0. A remote attacker can supply specially crafted HTML content to bypass URI scheme restrictions in sanitized output.
This issue is not a direct cross-site scripting vulnerability in modern browsers, but downstream Unicode normalization before rendering could make the disallowed scheme valid.
Remediation
Install security update from vendor's website.