Technologyglobal✓ verified · 90%

TYPO3 HTML Sanitizer allows Cross-site Scripting

Name: TYPO3 HTML Sanitizer allows Cross-site Scripting
Start: 2026-06-12T19:06:45Z
Location: Global (internet)

When: 2026-06-12 19:06 UTC
Where: Global (internet)
Category: cyber_advisory · composer

When `ALLOW_INSECURE_RAW_TEXT` is enabled, whitespace-variant closing tags (e.g., `</style\\t>`) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of `typo3/html-sanitizer` before version 2.3.2. Credits to IPC Labs for reporting this vulnerability.

Sources

GitHub Advisory Database ↗ · first seen 2026-06-12 19:06 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map