Vulnerability DatabaseCVE-2026-47344
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-47344
Published:June 08, 2026
Updated:June 28, 2026
When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\t>) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.
Affected Packages
typo3/html-sanitizer (PHP):
Affected version(s) >=dev-main <2.3.2
Fix Suggestion:
Update to version 2.3.2
Related Resources (6)
https://github.com/TYPO3/html-sanitizer
https://typo3.org/security/advisory/typo3-core-sa-2026-006
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/html-sanitizer/CVE-2026-47344.yaml
https://nvd.nist.gov/vuln/detail/CVE-2026-47344
https://github.com/TYPO3/html-sanitizer/commit/bd1a88d9b5a5f67f1120ec41084e9c1a0675641c
https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-jvf5-rxvv-3mcg
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79
Interpretation Conflict
CWE-436
EPSS
Base Score:
0.28