CVE Catalog

CVE-2026-47344

LowCVSS 2.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.05%

15th percentile — higher than 15% of all known CVEs

Summary

When the ALLOW_INSECURE_RAW_TEXT option is enabled, whitespace-variant closing tags (e.g., </style >) are not recognized by the sanitizer but accepted by browsers as valid end tags. This allows bypassing the XSS prevention mechanism in typo3/html-sanitizer before version 2.3.2.

Risk Assessment

Organizations may be exposed to XSS attacks, potentially leading to user data theft or session hijacking. Exploiting this vulnerability can compromise the integrity of web applications.

Recommendation

It is recommended to upgrade to version 2.3.2 or later to eliminate this vulnerability. Additionally, consider disabling the ALLOW_INSECURE_RAW_TEXT option to enhance application security.

Original NVD description (English source)

When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\t>) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS