PatchSiren cyber security CVE debrief
CVE-2026-47344 TYPO3 CVE debrief
CVE-2026-47344 is a low-severity vulnerability in typo3/html-sanitizer that allows bypassing the cross-site scripting prevention mechanism. The vulnerability occurs when ALLOW_INSECURE_RAW_TEXT is enabled, and whitespace-variant closing tags are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This vulnerability was published on [cvePublishedAt] and modified on [cveModifiedAt].
- Vendor
- TYPO3
- Product
- HTML Sanitizer
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Users of typo3/html-sanitizer before version 2.3.2 who have ALLOW_INSECURE_RAW_TEXT enabled should be aware of this vulnerability.
Technical summary
The vulnerability occurs when ALLOW_INSECURE_RAW_TEXT is enabled, and whitespace-variant closing tags (e.g., </style> or </style with trailing whitespace) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization.
Defensive priority
Low
Recommended defensive actions
- Update typo3/html-sanitizer to version 2.3.2 or later.
- Disable ALLOW_INSECURE_RAW_TEXT if possible.
Evidence notes
The CVE record and NVD detail can be found at [resourceLinkAnnotations:cve-org] and [resourceLinkAnnotations:nvd], respectively. Additional information can be found at [resourceLinkAnnotations:ref-4] and [resourceLinkAnnotations:ref-5].
Official resources
-
CVE-2026-47344 CVE record
CVE.org
-
CVE-2026-47344 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
f4fb688c-4412-4426-b4b8-421ecf27b14a
-
Source reference
f4fb688c-4412-4426-b4b8-421ecf27b14a
CVE-2026-47344 was published on 2026-06-08T20:17:01.587Z and modified on 2026-06-09T13:46:50.540Z.