CVE-2026-28350

Name of the Vulnerable Software and Affected Versions lxml html clean versions prior to 0.4.4

Description The software does not properly handle the <base> tag during HTML cleaning. Specifically, the <base> tag is not removed even when page structure=True, which removes html, head, and title tags. This allows an attacker to inject a <base> tag and hijack relative links on the page. Injecting a <base> tag changes the base URL for all relative URLs on the page, including links, images, and scripts, to a domain controlled by the attacker. This can lead to phishing, redirection of form submissions, cross-site scripting (XSS), and defacement of the webpage. The API endpoint is not mentioned. The vulnerable parameter is not mentioned. The vulnerable function is not mentioned.

Recommendations Update to lxml html clean version 0.4.4 or later.