TYPO3 HTML Sanitizer allows Cross-Site Scripting
CVE-2026-47344

2.1LOW

Key Information:

Vendor: Typo3
Status: Html Sanitizer
Vendor: CVE Published:; 8 June 2026

What is CVE-2026-47344?

When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\t>) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.

Affected Version(s)

HTML Sanitizer 0 < 2.3.2

References

https://typo3.org/security/advisory/typo3-core-sa-2026-006

vendor-advisory

https://github.com/TYPO3/html-sanitizer/commit/bd1a88d9b5...

patch

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2026
Vulnerability Reserved
May 19, 2026

Credit

IPC Labs

Oliver Hader

CVE-2026-47344 Data

JSON

Typo3

What is CVE-2026-47344?

Affected Version(s)

References

CVSS V4

Timeline

Credit