TYPO3 HTML Sanitizer allows Cross-Site Scripting
CVE-2026-47345

5.1MEDIUM

Key Information:

Vendor: Typo3
Status: Html Sanitizer
Vendor: CVE Published:; 8 June 2026

What is CVE-2026-47345?

Namespace attributes are not encoded correctly during HTML serialization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.

Affected Version(s)

HTML Sanitizer 0 < 2.3.2

References

https://typo3.org/security/advisory/typo3-core-sa-2026-006

vendor-advisory

https://github.com/TYPO3/html-sanitizer/commit/8b5d0be44d...

patch

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2026
Vulnerability Reserved
May 19, 2026

Credit

Doyensec in collaboration with Claude and Anthropic Research

Benjamin Franzke

CVE-2026-47345 Data

JSON

Typo3

What is CVE-2026-47345?

Affected Version(s)

References

CVSS V4

Timeline

Credit