{"data":{"id":"3dd954d2-9c36-4c2f-9464-48a4761cf074","title":"GHSA-8rfp-98v4-mmr6: Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output","summary":"Bleach, a library that removes dangerous content from HTML, has a vulnerability where it fails to block disallowed URI schemes (like javascript:) when Unicode characters (special invisible characters above U+00A0) are inserted into them. While modern browsers won't execute these malformed links, the vulnerability breaks Bleach's safety promise, and if downstream systems normalize these Unicode characters, the dangerous links could become executable.","solution":"Users should upgrade to Bleach 6.4.0. As a workaround, pre-process content to remove non-ASCII characters from URI schemes before sanitizing with bleach.clean, or implement a strong Content-Security-Policy (a security header that restricts what scripts can run on a webpage) without unsafe-inline and unsafe-eval script-srcs.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-8rfp-98v4-mmr6","publishedAt":"2026-06-16T14:06:29.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"low","severity":"low","attackType":[],"issueType":"vulnerability","affectedPackages":["bleach@<= 6.3.0 (fixed: 6.4.0)"],"affectedVendors":[],"affectedVendorsRaw":[],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-06-16T14:06:29.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.7,"researchCategory":null,"atlasIds":null}}