TYPO3 html-sanitizer XSS Bypass Vulnerability Advisory

Vulnerability Overview Vulnerability Name: TYPO3-CORE-SA-2026-006: Bypassing Cross-Site Scripting Protection in HTML Sanitizer Publication Date: June 9, 2026 Vulnerability Type: Cross-Site Scripting (XSS) Severity: Medium Affected Versions Affected Versions: - 10.0.0-10.4.56 - 11.0.0-11.5.50 - 12.0.0-12.4.45 - 13.0.0-13.4.30 - 14.0.0-14.3.2 Vulnerability Description: - The package allows bypassing cross-site script prevention mechanisms. - When is enabled, whitespace-variant closing tags (e.g., ) are not recognized by the sanitizer but are accepted as valid tags by the browser, causing subsequent content to escape the sanitizer. - Namespace attributes are not correctly encoded during HTML serialization, allowing bypass of the cross-site script prevention mechanism in . Remediation Solution: Update to the following versions to resolve the issue: - 10.4.57 ELTS - 11.5.51 ELTS - 12.4.46 ELTS - 13.4.31 LTS - 14.3.3 LTS References CVE Numbers: CVE-2026-47344, CVE-2026-47345 CVSS Score: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:PVC-N/VI:N/VA:N/SC:L/SI:L/SA:N General Recommendations Follow the recommendations outlined in the TYPO3 Security Guidelines. Subscribe to the TYPO3 announcement mailing list. Author Information Author: Oliver Hader Position: Core Developer at TYPO3 GmbH, Hof, Germany Additional Information All security-related code changes have been marked and can be found in the review system.

Goal Reached Thanks to every supporter — we hit 100%!

TYPO3 html-sanitizer XSS Bypass Vulnerability Advisory