Cross-Site Scripting Vulnerability in TYPO3 HTML Sanitizer by TYPO3
CVE-2026-47344

2.1LOW

Key Information:

Vendor

Typo3

Vendor
CVE Published:
8 June 2026

What is CVE-2026-47344?

A vulnerability exists in the TYPO3 HTML Sanitizer where the ALLOW_INSECURE_RAW_TEXT option, when enabled, allows the processing of whitespace-variant closing tags, such as . This oversight means that browsers can interpret these tags as valid, while the sanitizer fails to recognize them. As a result, attackers can exploit this vulnerability to insert malicious scripts, effectively bypassing the intended cross-site scripting prevention mechanisms in TYPO3 versions earlier than 2.3.2.

Affected Version(s)

HTML Sanitizer 0 < 2.3.2

References

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

IPC Labs
Oliver Hader
.