Improper Encoding or Escaping of Output Affecting justhtml package, versions [0.9.0,1.22.0)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-JUSTHTML-17670531
  • published29 Jun 2026
  • disclosed25 Jun 2026
  • creditUnknown

Introduced: 25 Jun 2026

New CVE NOT AVAILABLE CWE-116  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

Upgrade justhtml to version 1.22.0 or higher.

Overview

justhtml is an A pure Python HTML5 parser that just works.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the to_markdown process. An attacker can inject malicious HTML or script into rendered Markdown by including a blank line within the text of a <code> element or a <pre> element inside a link, causing unescaped content to be interpreted as live HTML or Markdown when viewed by another user.

CVSS Base Scores

version 4.0
version 3.1