[Git][security-tracker-team/security-tracker][master] CVE-2026-28348/CVE-2026-28350: lxml-html-clean was part of lxml before trixie

Adrian Bunk (@bunk) bunk at debian.org
Thu Jun 18 22:28:31 BST 2026 


Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker


Commits:
abbdf580 by Adrian Bunk at 2026-06-19T00:24:45+03:00
CVE-2026-28348/CVE-2026-28350: lxml-html-clean was part of lxml before trixie

Both CVEs reproduce in bookworm.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -64528,15 +64528,19 @@ CVE-2026-28542 (Permission bypass vulnerability in the system service framework.
 CVE-2026-28353 (Trivy Vulnerability Scanner is a VS Code extension that helps find vul ...)
 	- trivy <itp> (bug #929458)
 CVE-2026-28350 (lxml_html_clean is a project for HTML cleaning functionalities copied  ...)
+	- lxml 5.2.0-1
 	- lxml-html-clean 0.4.4-1
 	[trixie] - lxml-html-clean <no-dsa> (Minor issue)
 	NOTE: https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-xvp8-3mhv-424c
 	NOTE: Fixed by: https://github.com/fedora-python/lxml_html_clean/commit/9c5612ca33b941eec4178abf8a5294b103403f34 (0.4.4)
+	NOTE: lxml-html-clean was split out of lxml in 5.2.0
 CVE-2026-28348 (lxml_html_clean is a project for HTML cleaning functionalities copied  ...)
+	- lxml 5.2.0-1
 	- lxml-html-clean 0.4.4-1
 	[trixie] - lxml-html-clean <no-dsa> (Minor issue)
 	NOTE: https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-hw26-mmpg-fqfg
 	NOTE: Fixed by: https://github.com/fedora-python/lxml_html_clean/commit/2ef732667ddbc74ea59847bcf24b75809aaeed3b (0.4.4)
+	NOTE: lxml-html-clean was split out of lxml in 5.2.0
 CVE-2026-28343 (CKEditor 5 is a modern JavaScript rich-text editor with an MVC archite ...)
 	TODO: check
 CVE-2026-28342 (OliveTin gives access to predefined shell commands from a web interfac ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abbdf58048a099289d84af3ec94a309f54cf8cb2

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abbdf58048a099289d84af3ec94a309f54cf8cb2
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260618/b22aa73b/attachment.htm>

More information about the debian-security-tracker-commits mailing list