TYPO3 HTML Sanitizer allows Cross-site Scripting

When

2026-06-12 20:07 UTC

Where

Global (internet)

Category

cyber_advisory · composer

Namespace attributes are not encoded correctly during HTML serialization. This allows bypassing the cross-site scripting prevention mechanism of `typo3/html-sanitizer` before version 2.3.2. Credits to Doyensec in collaboration with Claude and Anthropic Research for reporting this vulnerability.

Involved actors & entities

People, organizations and places machine-extracted from the source reporting — they power search and the correlation graph. Extracted automatically, so they can include noise, especially on events still marked unverified.

• composer/typo3/html-sanitizer
• GHSA-p5j5-4j3q-8mq8
• CVE-2026-47345

Sources

• GitHub Advisory Database ↗ · first seen 2026-06-12 20:07 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map