{"data":{"id":"78efbe64-b5a1-403c-a416-33f3d25b7bdf","title":"GHSA-r758-8hxw-4845: justhtml: Mutation XSS with custom foreign-namespace sanitization policies","summary":"A mutation XSS (cross-site scripting, where attackers inject malicious code through HTML) vulnerability was found in the justhtml library when using custom sanitization policies that preserve foreign namespaces like SVG or MathML. Specially crafted input could pass through sanitization appearing safe, but then become dangerous when a browser or parser processes it again. This only affects users with custom policies; the default settings are safe.","solution":"Upgrade to justhtml version 1.14.0 or later. If you cannot upgrade immediately, keep `drop_foreign_namespaces=True`, avoid allowlisting foreign namespaces for untrusted input, and avoid allowlisting raw-text containers such as `<style>` in custom policies.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-r758-8hxw-4845","publishedAt":"2026-04-08T00:06:17.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"low","severity":"low","attackType":["other"],"issueType":"vulnerability","affectedPackages":["justhtml@>= 1.13.0, < 1.14.0 (fixed: 1.14.0)"],"affectedVendors":[],"affectedVendorsRaw":[],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-08T00:06:17.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}