CVE-2014-3146

MEDIUM
Published May 14, 201412y ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Medium
Find Similar
Published May 14, 2014 12y ago
Last Modified Jun 17, 2026 2w ago

Description

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 95

VendorProductVersionRange
lxmllxml* ≤3.3.4
lxmllxml0.5any
lxmllxml0.5.1any
lxmllxml0.6any
lxmllxml0.7any
lxmllxml0.8any
lxmllxml0.9any
lxmllxml0.9.1any
lxmllxml0.9.2any
lxmllxml1.0any
lxmllxml1.0.1any
lxmllxml1.0.2any
lxmllxml1.0.3any
lxmllxml1.0.4any
lxmllxml1.1any
lxmllxml1.1.1any
lxmllxml1.1.2any
lxmllxml1.2any
lxmllxml1.2.1any
lxmllxml1.3any
lxmllxml1.3.1any
lxmllxml1.3.2any
lxmllxml1.3.3any
lxmllxml1.3.4any
lxmllxml1.3.5any
lxmllxml1.3.6any
lxmllxml2.0any
lxmllxml2.0.1any
lxmllxml2.0.2any
lxmllxml2.0.3any
lxmllxml2.0.4any
lxmllxml2.0.5any
lxmllxml2.0.6any
lxmllxml2.0.7any
lxmllxml2.0.8any
lxmllxml2.0.9any
lxmllxml2.0.10any
lxmllxml2.0.11any
lxmllxml2.1any
lxmllxml2.1any
lxmllxml2.1any
lxmllxml2.1any
lxmllxml2.1.1any
lxmllxml2.1.2any
lxmllxml2.1.3any
lxmllxml2.1.4any
lxmllxml2.2any
lxmllxml2.2any
lxmllxml2.2any
lxmllxml2.2any
lxmllxml2.2any
lxmllxml2.2any
lxmllxml2.2.1any
lxmllxml2.2.2any
lxmllxml2.2.3any
lxmllxml2.2.4any
lxmllxml2.2.5any
lxmllxml2.2.6any
lxmllxml2.2.7any
lxmllxml2.2.8any
lxmllxml2.3any
lxmllxml2.3any
lxmllxml2.3any
lxmllxml2.3any
lxmllxml2.3.1any
lxmllxml2.3.2any
lxmllxml2.3.3any
lxmllxml2.3.4any
lxmllxml2.3.5any
lxmllxml2.3.6any
lxmllxml3.0any
lxmllxml3.0any
lxmllxml3.0any
lxmllxml3.0any
lxmllxml3.0.1any
lxmllxml3.0.2any
lxmllxml3.1any
lxmllxml3.1.0any
lxmllxml3.1.1any
lxmllxml3.1.2any
lxmllxml3.2.0any
lxmllxml3.2.1any
lxmllxml3.2.2any
lxmllxml3.2.3any
lxmllxml3.2.4any
lxmllxml3.2.5any
lxmllxml3.3.0any
lxmllxml3.3.0any
lxmllxml3.3.0any
lxmllxml3.3.0any
lxmllxml3.3.0any
lxmllxml3.3.0any
lxmllxml3.3.1any
lxmllxml3.3.2any
lxmllxml3.3.3any

References 14

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.