Modification of Assumed-Immutable Data (MAID) Affecting justhtml package, versions [,1.16.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-JUSTHTML-16083990
- published16 Apr 2026
- disclosed14 Apr 2026
- creditUnknown
Introduced: 14 Apr 2026
New CVE NOT AVAILABLE CWE-178 (opens in a new tab)How to fix?
Upgrade justhtml to version 1.16.0 or higher.
Overview
justhtml is an A pure Python HTML5 parser that just works.
Affected versions of this package are vulnerable to Modification of Assumed-Immutable Data (MAID) through the sanitize(), sanitize_dom(), and JustHTML(..., sanitize=True) paths in src/justhtml/sanitize.py. An attacker can bypass intended HTML filtering by mutating nested policy state, such as allowed_attributes or url_policy.allow_rules after a sanitizer has been compiled, causing later sanitization calls to keep using a previously compiled, more permissive policy and preserve dangerous markup or URLs. The same issue affects exported default policy objects process-wide, so weakening DEFAULT_POLICY.url_policy.allow_rules[("a", "href")].allowed_schemes can alter subsequent default sanitization and let malicious links survive in user-visible output.
Note: The maintainer aggregated multiple security fixes into one advisory; a detailed explanation of the individual impacts is detailed in the maintainer's advisory.