CVE-2026-47344
published 2026-06-08CVE-2026-47344: When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., ) are not recognized by the sanitizer but accepted by browsers as valid end…
PriorityP415low2.1CVSS 4.0
AVNACLATPPRLUIPVCNVINVANSCLSILSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.28%
19.9th percentile
When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., ) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | html-sanitizer | >= 0 < 2.3.2 | 2.3.2 |
| typo3 | html_sanitizer | < 2.3.2 | 2.3.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
TYPO3 HTML Sanitizer allows Cross-site Scripting
ghsa·2026-06-12
CVE-2026-47344 [LOW] CWE-79 TYPO3 HTML Sanitizer allows Cross-site Scripting
TYPO3 HTML Sanitizer allows Cross-site Scripting
When `ALLOW_INSECURE_RAW_TEXT` is enabled, whitespace-variant closing tags (e.g., ``) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of `typo3/html-sanitizer` before version 2.3.2.
Credits to IPC Labs for reporting this vulnerability.
VulDB
TYPO3 HTML Sanitizer up to 2.3.1 cross site scripting
vuldb·2026-06-08·CVSS 2.1
CVE-2026-47344 [LOW] TYPO3 HTML Sanitizer up to 2.3.1 cross site scripting
A vulnerability, which was classified as problematic, has been found in TYPO3 HTML Sanitizer up to 2.3.1. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting.
This vulnerability is listed as CVE-2026-47344. The attack may be initiated remotely. There is no available exploit.
It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-08
Published