CVE-2021-42576

9.8 CRITICAL

The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associat...

Published: 2021-10-18 · Last updated: 2026-06-17

Severity and scoring

CVSS: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Vendor	Product
microco	bluemonday, pybluemonday
python	bluemonday, pybluemonday

Description

The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-42576
[Exploit reference]https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/
[Exploit reference]https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/

Related CVEs

Same vendor

CVE-2026-7210 — `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML d... (7.5 HIGH)
CVE-2026-3087 — If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be... (7.5 HIGH)
CVE-2026-6019 — http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context (6.1 MEDIUM)
CVE-2026-4224 — When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content mo... (7.5 HIGH)
CVE-2026-3644 — The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete (7.5 HIGH)