Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affecting weasyprint package, versions [,69.0)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-WEASYPRINT-17824464
  • published6 Jul 2026
  • disclosed6 Jul 2026
  • creditAyushParkara

Introduced: 6 Jul 2026

NewCVE-2026-49452  (opens in a new tab)
CWE-74  (opens in a new tab)

How to fix?

Upgrade weasyprint to version 69.0 or higher.

Overview

weasyprint is a The Awesome Document Factory

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in the processing of presentational hints when unescaped attribute values are embedded into CSS. An attacker can inject arbitrary CSS declarations by supplying crafted attribute values, potentially causing server-side requests or altering the rendered output. This is only exploitable if presentational hints are enabled.

CVSS Base Scores

version 4.0
version 3.1