CVE-2026-47344
Received Received - Intake
Whitespace-Variant XSS Bypass in TYPO3 html-sanitizer

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: TYPO3

Description
When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\t>) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-47344
EUVD
EUVD-2026-35191
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
typo3 html-sanitizer 2.3.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the TYPO3 html-sanitizer library when the ALLOW_INSECURE_RAW_TEXT option is enabled. It involves improper handling of closing HTML tags that contain whitespace variations, such as </style\t>. These tags are not recognized by the sanitizer as valid end tags but are accepted by browsers, allowing malicious content to bypass the sanitization process.

As a result, attackers can bypass the cross-site scripting (XSS) prevention mechanism by injecting content that escapes sanitization, potentially leading to execution of malicious scripts.

The fix ensures that the HTML5 parser correctly recognizes these whitespace-variant closing tags as valid end tags and prevents raw-text passthrough inside elements like <noscript>, where browsers might otherwise parse content as raw text and allow malicious payloads to escape sanitization.

Impact Analysis

This vulnerability can allow attackers to bypass the HTML sanitization process and inject malicious scripts into web pages, leading to cross-site scripting (XSS) attacks.

Such XSS attacks can result in unauthorized actions performed on behalf of users, theft of sensitive information like cookies or session tokens, defacement of websites, or distribution of malware.

If your application uses TYPO3 html-sanitizer with the vulnerable configuration, it may be exposed to these risks until updated to a fixed version.

Mitigation Strategies

To mitigate the CVE-2026-47344 vulnerability, update the TYPO3 html-sanitizer library to version 2.3.2 or later, which includes fixes that properly recognize whitespace-variant closing tags as valid end tags and prevent raw-text passthrough inside <noscript> elements.

These fixes involve changes to the parser, tokenizer, and sanitizer components to ensure that raw-text content is properly sanitized and that insecure raw-text behavior is denied in specific contexts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47344. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart