[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2021-28957":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T08:55:32.481Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":44,"aliases":54,"duplicate_of":9,"upstream":57,"downstream":58,"duplicates":103,"related":104,"reserved_at":9,"published_at":115,"modified_at":116,"state":117,"summary":118,"references_raw":126,"kevs":224,"epss":225,"epss_history":228,"metrics":493,"affected":511},"CVE-2021-28957","An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-79","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","weakness","Stable","Base","High",[20,24,28,32,36,40],{"id":21,"name":22,"techniques":23},"CAPEC-209","XSS Using MIME Type Mismatch",[],{"id":25,"name":26,"techniques":27},"CAPEC-588","DOM-Based XSS",[],{"id":29,"name":30,"techniques":31},"CAPEC-591","Reflected XSS",[],{"id":33,"name":34,"techniques":35},"CAPEC-592","Stored XSS",[],{"id":37,"name":38,"techniques":39},"CAPEC-63","Cross-Site Scripting (XSS)",[],{"id":41,"name":42,"techniques":43},"CAPEC-85","AJAX Footprinting",[],[45],{"_key":46,"name":47,"source":48,"url":49,"maturity":50,"reliability_score":51,"verified":52,"type":9,"platforms":53,"requires_auth":9,"exploitdb":9,"metasploit":9},"REF_130090D07C6F32D7","Exploit Reference (bugs.launchpad.net)","reference","https://bugs.launchpad.net/lxml/+bug/1888153","unknown",0.2,false,[],[55,56],"GHSA-jq4v-f5q6-mjqq","PYSEC-2021-19",[],[59,61,63,65,67,69,71,73,75,77,79,81,83,85,87,89,91,93,95,97,99,101],{"_key":60},"ALPINE-CVE-2021-28957",{"_key":62},"RHSA-2021:4158",{"_key":64},"SUSE-SU-2022:0803-1",{"_key":66},"SUSE-SU-2022:0895-1",{"_key":68},"SUSE-SU-2022:1729-1",{"_key":70},"SUSE-SU-2022:3934-1",{"_key":72},"SUSE-SU-2022:3937-1",{"_key":74},"UBUNTU-CVE-2021-28957",{"_key":76},"USN-4896-1",{"_key":78},"USN-4896-2",{"_key":80},"SUSE-SU-2022:3836-1",{"_key":82},"OPENSUSE-SU-2022:0803-1",{"_key":84},"OPENSUSE-SU-2024:11473-1",{"_key":86},"OPENSUSE-SU-2025:14647-1",{"_key":88},"DLA-2606-1",{"_key":90},"DSA-4880-1",{"_key":92},"RHSA-2021:4151",{"_key":94},"RHSA-2021:3254",{"_key":96},"RHSA-2021:4160",{"_key":98},"RHSA-2021:4162",{"_key":100},"MGASA-2021-0246",{"_key":102},"DEBIAN-CVE-2021-28957",[],[105,106,107,108,109,110,111,112,113,114],{"_key":64},{"_key":66},{"_key":68},{"_key":70},{"_key":72},{"_key":80},{"_key":82},{"_key":84},{"_key":86},{"_key":100},"2021-03-21T04:39:35.000Z","2025-12-17T21:31:43.446Z","Modified",{"cisa_kev":52,"cisa_ransomware":52,"cisa_vendor":9,"epss_severity":119,"epss_score":120,"severity":121,"severity_score":122,"severity_version":123,"severity_source":124,"severity_vector":125,"severity_status":117},"low",0.00518,"medium",6.1,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",[127,137,142,148,155,160,164,168,173,178,183,187,191,195,199,203,207,211,215,220],{"url":49,"sources":128,"tags":131},[124,129,130],"nvd","osv_pypi",[132,133,134,135,136],"X Refsource MISC","Exploit","Issue Tracking","Third Party Advisory","WEB",{"url":138,"sources":139,"tags":140},"https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270",[124,129,130],[132,141,135,136],"Patch",{"url":143,"sources":144,"tags":145},"https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html",[124,129,130],[146,147,135,136],"Mailing List","X Refsource MLIST",{"url":149,"sources":150,"tags":151},"https://www.debian.org/security/2021/dsa-4880",[124,129,130],[152,153,135,136,154],"Vendor Advisory","X Refsource DEBIAN","Advisory",{"url":156,"sources":157,"tags":158},"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/",[124,129],[152,159],"X Refsource FEDORA",{"url":161,"sources":162,"tags":163},"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/",[124,129],[152,159],{"url":165,"sources":166,"tags":167},"https://www.oracle.com/security-alerts/cpuoct2021.html",[124,129,130],[132,141,135,136],{"url":169,"sources":170,"tags":171},"https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999",[124,129,130],[132,141,135,136,172],"FIX",{"url":174,"sources":175,"tags":176},"https://security.netapp.com/advisory/ntap-20210521-0004/",[124,129],[177,135],"X Refsource CONFIRM",{"url":179,"sources":180,"tags":181},"https://security.gentoo.org/glsa/202208-06",[124,129,130],[152,182,135,136],"X Refsource GENTOO",{"url":184,"sources":185,"tags":186},"https://nvd.nist.gov/vuln/detail/CVE-2021-28957",[130],[154],{"url":188,"sources":189,"tags":190},"https://github.com/lxml/lxml/pull/316",[130],[136],{"url":192,"sources":193,"tags":194},"https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d",[130],[136],{"url":196,"sources":197,"tags":198},"https://security.netapp.com/advisory/ntap-20210521-0004",[130],[136],{"url":200,"sources":201,"tags":202},"https://pypi.org/project/lxml",[130],[136],{"url":204,"sources":205,"tags":206},"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ",[130],[136],{"url":208,"sources":209,"tags":210},"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45",[130],[136],{"url":212,"sources":213,"tags":214},"https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2021-19.yaml",[130],[136],{"url":216,"sources":217,"tags":218},"https://github.com/lxml/lxml",[130],[219],"PACKAGE",{"url":221,"sources":222,"tags":223},"https://github.com/advisories/GHSA-jq4v-f5q6-mjqq",[130],[154],[],{"date":226,"score":120,"percentile":227},"2026-06-04",0.67094,[229,233,236,239,242,244,246,249,252,255,258,261,264,266,269,273,276,279,282,285,288,291,294,297,299,302,305,308,311,314,316,319,322,324,327,330,333,336,339,342,345,348,350,353,356,359,362,365,368,371,374,377,380,382,386,389,392,395,398,401,404,407,410,413,416,419,422,425,428,431,434,437,440,443,446,449,452,455,457,460,463,466,469,472,475,478,481,484,487,490],{"date":230,"score":231,"percentile":232},"2025-11-04",0.00496,0.64927,{"date":234,"score":231,"percentile":235},"2025-11-05",0.64906,{"date":237,"score":231,"percentile":238},"2025-11-06",0.64901,{"date":240,"score":231,"percentile":241},"2025-11-07",0.6491,{"date":243,"score":231,"percentile":241},"2025-11-08",{"date":245,"score":231,"percentile":238},"2025-11-09",{"date":247,"score":231,"percentile":248},"2025-11-10",0.64892,{"date":250,"score":231,"percentile":251},"2025-11-11",0.649,{"date":253,"score":231,"percentile":254},"2025-11-12",0.64923,{"date":256,"score":231,"percentile":257},"2025-11-13",0.6493,{"date":259,"score":231,"percentile":260},"2025-11-14",0.6494,{"date":262,"score":231,"percentile":263},"2025-11-15",0.64935,{"date":265,"score":231,"percentile":232},"2025-11-16",{"date":267,"score":231,"percentile":268},"2025-11-17",0.64924,{"date":270,"score":271,"percentile":272},"2025-11-18",0.00935,0.74186,{"date":274,"score":271,"percentile":275},"2025-11-19",0.74192,{"date":277,"score":271,"percentile":278},"2025-11-20",0.74202,{"date":280,"score":231,"percentile":281},"2025-11-21",0.64941,{"date":283,"score":231,"percentile":284},"2025-11-22",0.64947,{"date":286,"score":231,"percentile":287},"2025-11-23",0.64932,{"date":289,"score":231,"percentile":290},"2025-11-24",0.64917,{"date":292,"score":231,"percentile":293},"2025-11-25",0.64919,{"date":295,"score":231,"percentile":296},"2025-11-26",0.64922,{"date":298,"score":231,"percentile":232},"2025-11-27",{"date":300,"score":231,"percentile":301},"2025-11-28",0.64913,{"date":303,"score":231,"percentile":304},"2025-11-29",0.64889,{"date":306,"score":231,"percentile":307},"2025-11-30",0.64883,{"date":309,"score":231,"percentile":310},"2025-12-01",0.65043,{"date":312,"score":231,"percentile":313},"2025-12-02",0.65061,{"date":315,"score":231,"percentile":313},"2025-12-03",{"date":317,"score":231,"percentile":318},"2025-12-04",0.64887,{"date":320,"score":231,"percentile":321},"2025-12-05",0.64903,{"date":323,"score":231,"percentile":235},"2025-12-06",{"date":325,"score":231,"percentile":326},"2025-12-07",0.64904,{"date":328,"score":231,"percentile":329},"2025-12-08",0.64911,{"date":331,"score":231,"percentile":332},"2025-12-09",0.64943,{"date":334,"score":231,"percentile":335},"2025-12-10",0.6499,{"date":337,"score":231,"percentile":338},"2025-12-11",0.65007,{"date":340,"score":231,"percentile":341},"2025-12-12",0.65026,{"date":343,"score":231,"percentile":344},"2025-12-13",0.65031,{"date":346,"score":231,"percentile":347},"2025-12-14",0.65029,{"date":349,"score":231,"percentile":341},"2025-12-15",{"date":351,"score":231,"percentile":352},"2025-12-16",0.65039,{"date":354,"score":231,"percentile":355},"2025-12-17",0.65052,{"date":357,"score":231,"percentile":358},"2025-12-18",0.65093,{"date":360,"score":231,"percentile":361},"2025-12-19",0.65108,{"date":363,"score":231,"percentile":364},"2025-12-20",0.65105,{"date":366,"score":231,"percentile":367},"2025-12-21",0.65095,{"date":369,"score":231,"percentile":370},"2025-12-22",0.65088,{"date":372,"score":231,"percentile":373},"2025-12-23",0.6509,{"date":375,"score":231,"percentile":376},"2025-12-24",0.65096,{"date":378,"score":231,"percentile":379},"2025-12-25",0.65122,{"date":381,"score":231,"percentile":379},"2025-12-26",{"date":383,"score":384,"percentile":385},"2025-12-27",0.00445,0.62903,{"date":387,"score":231,"percentile":388},"2025-12-28",0.65097,{"date":390,"score":231,"percentile":391},"2025-12-29",0.65085,{"date":393,"score":231,"percentile":394},"2025-12-30",0.65101,{"date":396,"score":231,"percentile":397},"2025-12-31",0.65126,{"date":399,"score":231,"percentile":400},"2026-01-01",0.65312,{"date":402,"score":231,"percentile":403},"2026-01-02",0.65298,{"date":405,"score":231,"percentile":406},"2026-01-03",0.653,{"date":408,"score":231,"percentile":409},"2026-01-04",0.65127,{"date":411,"score":231,"percentile":412},"2026-01-05",0.65114,{"date":414,"score":231,"percentile":415},"2026-01-06",0.65112,{"date":417,"score":231,"percentile":418},"2026-01-07",0.65133,{"date":420,"score":231,"percentile":421},"2026-01-08",0.65151,{"date":423,"score":231,"percentile":424},"2026-01-09",0.65155,{"date":426,"score":231,"percentile":427},"2026-01-10",0.65153,{"date":429,"score":231,"percentile":430},"2026-01-11",0.6514,{"date":432,"score":231,"percentile":433},"2026-01-12",0.65124,{"date":435,"score":231,"percentile":436},"2026-01-13",0.65123,{"date":438,"score":231,"percentile":439},"2026-01-14",0.65159,{"date":441,"score":231,"percentile":442},"2026-01-15",0.65178,{"date":444,"score":231,"percentile":445},"2026-01-16",0.65196,{"date":447,"score":231,"percentile":448},"2026-01-17",0.65184,{"date":450,"score":231,"percentile":451},"2026-01-18",0.65167,{"date":453,"score":231,"percentile":454},"2026-01-19",0.65154,{"date":456,"score":231,"percentile":451},"2026-01-20",{"date":458,"score":231,"percentile":459},"2026-01-21",0.65179,{"date":461,"score":231,"percentile":462},"2026-01-22",0.65187,{"date":464,"score":231,"percentile":465},"2026-01-23",0.65221,{"date":467,"score":231,"percentile":468},"2026-01-24",0.6523,{"date":470,"score":231,"percentile":471},"2026-01-25",0.65197,{"date":473,"score":231,"percentile":474},"2026-01-26",0.65186,{"date":476,"score":231,"percentile":477},"2026-01-27",0.65195,{"date":479,"score":231,"percentile":480},"2026-01-28",0.65207,{"date":482,"score":231,"percentile":483},"2026-01-29",0.65206,{"date":485,"score":231,"percentile":486},"2026-01-30",0.65215,{"date":488,"score":231,"percentile":489},"2026-01-31",0.65218,{"date":491,"score":231,"percentile":492},"2026-02-01",0.65368,[494,499,506],{"source":124,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":495,"cvss_v4_0":9},{"baseScore":122,"baseSeverity":496,"vectorString":125,"impactScore":497,"exploitabilityScore":498},"MEDIUM",4.5,7.2,{"source":129,"cvss_v2_0":500,"cvss_v3_0":9,"cvss_v3_1":505,"cvss_v4_0":9},{"baseScore":501,"baseSeverity":9,"vectorString":502,"impactScore":503,"exploitabilityScore":504},4.3,"AV:N/AC:M/Au:N/C:N/I:P/A:N",2.9,8.6,{"baseScore":122,"baseSeverity":496,"vectorString":125,"impactScore":497,"exploitabilityScore":498},{"source":130,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":507,"cvss_v4_0":508},{"baseScore":122,"baseSeverity":9,"vectorString":125,"impactScore":497,"exploitabilityScore":498},{"baseScore":509,"baseSeverity":9,"vectorString":510,"impactScore":9,"exploitabilityScore":9},5.3,"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",[512,523,531,540,546,553],{"ecosystem":9,"name":513,"vendor":514,"product":515,"cpe_part":516,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":517},"debian linux","debian","debian_linux","o",[518,521],{"version":519,"is_range":52,"range_type":520,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"9.0","cpe",{"version":522,"is_range":52,"range_type":520,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"10.0",{"ecosystem":9,"name":524,"vendor":525,"product":524,"cpe_part":516,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":526},"fedora","fedoraproject",[527,529],{"version":528,"is_range":52,"range_type":520,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"33",{"version":530,"is_range":52,"range_type":520,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"34",{"ecosystem":9,"name":532,"vendor":532,"product":532,"cpe_part":533,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":534},"lxml","a",[535],{"version":536,"is_range":537,"range_type":520,"version_start":9,"version_start_type":9,"version_end":538,"version_end_type":539,"fixed_in":9},"lt4.6.3",true,"4.6.3","excluding",{"ecosystem":9,"name":541,"vendor":542,"product":541,"cpe_part":533,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":543},"snapcenter","netapp",[544],{"version":545,"is_range":52,"range_type":520,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"na",{"ecosystem":9,"name":547,"vendor":548,"product":549,"cpe_part":533,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":550},"zfs storage appliance kit","oracle","zfs_storage_appliance_kit",[551],{"version":552,"is_range":52,"range_type":520,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"8.8",{"ecosystem":554,"name":532,"vendor":554,"product":532,"cpe_part":9,"purl_type":555,"purl_namespace":9,"purl_name":532,"source":9,"versions":556},"PyPI","pypi",[557,561],{"version":558,"is_range":537,"range_type":559,"version_start":9,"version_start_type":9,"version_end":560,"version_end_type":539,"fixed_in":9},"lta5f9cb52079dc57477c460dbe6ba0f775e14a999","ecosystem","a5f9cb52079dc57477c460dbe6ba0f775e14a999",{"version":562,"is_range":537,"range_type":559,"version_start":9,"version_start_type":9,"version_end":538,"version_end_type":539,"fixed_in":9},"lt4_6_3"]