Cross-Site Scripting Vulnerability in TYPO3 HTML Sanitizer
CVE-2026-47345

5.1MEDIUM

Key Information:

Vendor

Typo3

Vendor
CVE Published:
8 June 2026

What is CVE-2026-47345?

A vulnerability exists in TYPO3 HTML Sanitizer where namespace attributes are incorrectly encoded during the HTML serialization process. This flaw permits attackers to bypass the cross-site scripting (XSS) prevention mechanisms, posing a significant risk to the integrity and security of affected TYPO3 installations prior to version 2.3.2. Users are advised to upgrade to the latest version to mitigate this vulnerability.

Affected Version(s)

HTML Sanitizer 0 < 2.3.2

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Doyensec in collaboration with Claude and Anthropic Research
Benjamin Franzke
.