CWE-471
AllowedModification of Assumed-Immutable Data (MAID)
Abstraction: Base · Status: Draft
The product does not properly protect an assumed-immutable element from being modified by an attacker.
69 vulnerabilities reference this CWE, most recent first.
CVE-2018-3721 (GCVE-0-2018-3721)
Vulnerability from cvelistv5 – Published: 2018-06-07 02:00 – Updated: 2024-09-16 22:34- CWE-471 - Modification of Assumed-Immutable Data (MAID) (CWE-471)
| URL | Tags |
|---|---|
| https://hackerone.com/reports/310443 | x_refsource_MISC |
| https://github.com/lodash/lodash/commit/d8e069cc3… | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2019091… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | lodash node module |
Affected:
Versions before 4.17.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:50:30.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/310443"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "lodash node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "Versions before 4.17.5"
}
]
}
],
"datePublic": "2018-04-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-471",
"description": "Modification of Assumed-Immutable Data (MAID) (CWE-471)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-19T16:06:08.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/310443"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2018-3721",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "lodash node module",
"version": {
"version_data": [
{
"version_value": "Versions before 4.17.5"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Modification of Assumed-Immutable Data (MAID) (CWE-471)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/310443",
"refsource": "MISC",
"url": "https://hackerone.com/reports/310443"
},
{
"name": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a",
"refsource": "MISC",
"url": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190919-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-3721",
"datePublished": "2018-06-07T02:00:00.000Z",
"dateReserved": "2017-12-28T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:34:54.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-3720 (GCVE-0-2018-3720)
Vulnerability from cvelistv5 – Published: 2018-06-07 02:00 – Updated: 2024-09-16 22:56- CWE-471 - Modification of Assumed-Immutable Data (MAID) (CWE-471)
| URL | Tags |
|---|---|
| https://hackerone.com/reports/310707 | x_refsource_MISC |
| https://github.com/jonschlinkert/assign-deep/comm… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | assign-deep node module |
Affected:
Versions before 0.4.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:50:30.425Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/310707"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jonschlinkert/assign-deep/commit/19953a8c089b0328c470acaaaf6accdfcb34da11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "assign-deep node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "Versions before 0.4.7"
}
]
}
],
"datePublic": "2018-04-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "assign-deep node module before 0.4.7 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-471",
"description": "Modification of Assumed-Immutable Data (MAID) (CWE-471)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-07T01:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/310707"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jonschlinkert/assign-deep/commit/19953a8c089b0328c470acaaaf6accdfcb34da11"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2018-3720",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "assign-deep node module",
"version": {
"version_data": [
{
"version_value": "Versions before 0.4.7"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "assign-deep node module before 0.4.7 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Modification of Assumed-Immutable Data (MAID) (CWE-471)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/310707",
"refsource": "MISC",
"url": "https://hackerone.com/reports/310707"
},
{
"name": "https://github.com/jonschlinkert/assign-deep/commit/19953a8c089b0328c470acaaaf6accdfcb34da11",
"refsource": "MISC",
"url": "https://github.com/jonschlinkert/assign-deep/commit/19953a8c089b0328c470acaaaf6accdfcb34da11"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-3720",
"datePublished": "2018-06-07T02:00:00.000Z",
"dateReserved": "2017-12-28T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:56:52.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-3719 (GCVE-0-2018-3719)
Vulnerability from cvelistv5 – Published: 2018-06-07 02:00 – Updated: 2024-09-17 04:19- CWE-471 - Modification of Assumed-Immutable Data (MAID) (CWE-471)
| URL | Tags |
|---|---|
| https://github.com/jonschlinkert/mixin-deep/commi… | x_refsource_MISC |
| https://hackerone.com/reports/311236 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | mixin-deep node module |
Affected:
Versions before 1.3.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:50:30.481Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/311236"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mixin-deep node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "Versions before 1.3.1"
}
]
}
],
"datePublic": "2018-04-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "mixin-deep node module before 1.3.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-471",
"description": "Modification of Assumed-Immutable Data (MAID) (CWE-471)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-07T01:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/311236"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2018-3719",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "mixin-deep node module",
"version": {
"version_data": [
{
"version_value": "Versions before 1.3.1"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "mixin-deep node module before 1.3.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Modification of Assumed-Immutable Data (MAID) (CWE-471)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c",
"refsource": "MISC",
"url": "https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c"
},
{
"name": "https://hackerone.com/reports/311236",
"refsource": "MISC",
"url": "https://hackerone.com/reports/311236"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-3719",
"datePublished": "2018-06-07T02:00:00.000Z",
"dateReserved": "2017-12-28T00:00:00.000Z",
"dateUpdated": "2024-09-17T04:19:14.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-3MPR-HQ3P-49H9
Vulnerability from github – Published: 2018-07-26 15:10 – Updated: 2023-03-01 01:32Versions of mixin-deep before 1.3.1 are vulnerable to prototype pollution via merging functions.
Recommendation
Update to version 1.3.1 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mixin-deep"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-3719"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-471"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:55:36Z",
"nvd_published_at": "2018-06-07T02:29:00Z",
"severity": "HIGH"
},
"details": "Versions of `mixin-deep` before 1.3.1 are vulnerable to prototype pollution via merging functions.\n\n\n## Recommendation\n\nUpdate to version 1.3.1 or later.",
"id": "GHSA-3mpr-hq3p-49h9",
"modified": "2023-03-01T01:32:37Z",
"published": "2018-07-26T15:10:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3719"
},
{
"type": "WEB",
"url": "https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/311236"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-3mpr-hq3p-49h9"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/578"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in mixin-deep"
}
GHSA-3Q24-WF35-56H6
Vulnerability from github – Published: 2025-01-23 18:31 – Updated: 2025-01-23 18:31IBM Security Verify Bridge 1.0.0 through 1.0.15 could allow a local privileged user to overwrite files due to excessive privileges granted to the agent. which could also cause a denial of service.
{
"affected": [],
"aliases": [
"CVE-2024-45672"
],
"database_specific": {
"cwe_ids": [
"CWE-471"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-23T18:15:30Z",
"severity": "MODERATE"
},
"details": "IBM Security Verify Bridge 1.0.0 through 1.0.15 could allow a local privileged user to overwrite files due to excessive privileges granted to the agent. which could also cause a denial of service.",
"id": "GHSA-3q24-wf35-56h6",
"modified": "2025-01-23T18:31:20Z",
"published": "2025-01-23T18:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45672"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7181370"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3WC3-W43J-X6WH
Vulnerability from github – Published: 2025-05-22 18:31 – Updated: 2025-05-22 18:31IBM Aspera Faspex 5.0.0 through 5.0.12 could allow an authenticated user to obtain sensitive information or perform unauthorized actions on behalf of another user due to improper protection of assumed immutable data.
{
"affected": [],
"aliases": [
"CVE-2025-33136"
],
"database_specific": {
"cwe_ids": [
"CWE-471"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-22T17:15:23Z",
"severity": "HIGH"
},
"details": "IBM Aspera Faspex 5.0.0 through 5.0.12 could allow an authenticated user to obtain sensitive information or perform unauthorized actions on behalf of another user due to improper protection of assumed immutable data.",
"id": "GHSA-3wc3-w43j-x6wh",
"modified": "2025-05-22T18:31:15Z",
"published": "2025-05-22T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33136"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7234114"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3XQ3-MVF9-543X
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2025-04-23 21:30A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The status provided by the syslog clients managed by the affected software can be manipulated by an unauthenticated attacker in the same network of the affected system.
{
"affected": [],
"aliases": [
"CVE-2021-37177"
],
"database_specific": {
"cwe_ids": [
"CWE-471"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-14T11:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions \u003c V3.0 SP2). The status provided by the syslog clients managed by the affected software can be manipulated by an unauthenticated attacker in the same network of the affected system.",
"id": "GHSA-3xq3-mvf9-543x",
"modified": "2025-04-23T21:30:29Z",
"published": "2022-05-24T19:14:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37177"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-334944.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4P64-V8F5-R2GX
Vulnerability from github – Published: 2026-04-14 20:05 – Updated: 2026-04-14 20:05Summary
justhtml 1.16.0 fixes multiple security issues in sanitization, serialization, and programmatic DOM handling.
Most of these issues affected one of these advanced paths rather than ordinary parsed HTML with the default safe settings:
- programmatic DOM input to
sanitize()orsanitize_dom() - reused or mutated sanitization policy objects
- custom policies that preserve foreign namespaces such as SVG or MathML
Affected versions
justhtml<= 1.15.0
Fixed version
justhtml1.16.0released on April 12, 2026
Impact
Policy reuse and mutation
Nested mutation of sanitization policy internals could weaken later sanitization by leaving stale compiled sanitizers active, or by mutating exported default policy internals process-wide.
In-memory sanitization gaps
Programmatic DOM sanitization could miss dangerous mixed-case tag names such as ScRiPt or StYlE, and custom drop_content_tags values such as {"SCRIPT"} could silently fail to drop dangerous subtrees.
Serialization injection
Crafted programmatic doctype names could serialize into active markup before the document body.
Foreign-namespace policy bypasses
Custom policies that preserve SVG or MathML could allow active SVG features to survive sanitization, including:
- animation elements such as
<set>and<animate>that mutate already-sanitized attributes after sanitization - presentation attributes such as
fill,clip-path,mask,marker-start, andcursorcontaining externalurl(...)references - programmatic DOM trees that claim
namespace="html"but serialize as<svg>or<math>, bypassing foreign-content checks
Rawtext hardening gap
Mixed-case programmatic style or script nodes could bypass rawtext hardening and preserve active stylesheet content such as remote @import rules.
Default configuration
Most of these issues did not affect the normal JustHTML(..., sanitize=True) path for ordinary parsed HTML.
The main exceptions were policy-mutation issues, which could weaken later sanitization if code mutated nested state on reused policy objects or exported defaults.
Recommended action
Upgrade to justhtml 1.16.0.
If you cannot upgrade immediately:
- do not mutate
DEFAULT_POLICY,DEFAULT_DOCUMENT_POLICY, or nested policy internals - avoid reusing policy objects after mutating nested state
- avoid preserving SVG or MathML for untrusted input
- avoid preserving
styleorscriptin custom policies for untrusted input - avoid serializing untrusted programmatic doctypes or DOM trees
Credit
Discovered during an internal security review of justhtml.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.15.0"
},
"package": {
"ecosystem": "PyPI",
"name": "justhtml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-178",
"CWE-436",
"CWE-471",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T20:05:10Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Summary\n\n`justhtml` `1.16.0` fixes multiple security issues in sanitization, serialization, and programmatic DOM handling.\n\nMost of these issues affected one of these advanced paths rather than ordinary parsed HTML with the default safe settings:\n\n- programmatic DOM input to `sanitize()` or `sanitize_dom()`\n- reused or mutated sanitization policy objects\n- custom policies that preserve foreign namespaces such as SVG or MathML\n\n## Affected versions\n\n- `justhtml` `\u003c= 1.15.0`\n\n## Fixed version\n\n- `justhtml` `1.16.0` released on April 12, 2026\n\n## Impact\n\n### Policy reuse and mutation\nNested mutation of sanitization policy internals could weaken later sanitization by leaving stale compiled sanitizers active, or by mutating exported default policy internals process-wide.\n\n### In-memory sanitization gaps\nProgrammatic DOM sanitization could miss dangerous mixed-case tag names such as `ScRiPt` or `StYlE`, and custom `drop_content_tags` values such as `{\"SCRIPT\"}` could silently fail to drop dangerous subtrees.\n\n### Serialization injection\nCrafted programmatic doctype names could serialize into active markup before the document body.\n\n### Foreign-namespace policy bypasses\nCustom policies that preserve SVG or MathML could allow active SVG features to survive sanitization, including:\n\n- animation elements such as `\u003cset\u003e` and `\u003canimate\u003e` that mutate already-sanitized attributes after sanitization\n- presentation attributes such as `fill`, `clip-path`, `mask`, `marker-start`, and `cursor` containing external `url(...)` references\n- programmatic DOM trees that claim `namespace=\"html\"` but serialize as `\u003csvg\u003e` or `\u003cmath\u003e`, bypassing foreign-content checks\n\n### Rawtext hardening gap\nMixed-case programmatic `style` or `script` nodes could bypass rawtext hardening and preserve active stylesheet content such as remote `@import` rules.\n\n## Default configuration\n\nMost of these issues did **not** affect the normal `JustHTML(..., sanitize=True)` path for ordinary parsed HTML.\n\nThe main exceptions were policy-mutation issues, which could weaken later sanitization if code mutated nested state on reused policy objects or exported defaults.\n\n## Recommended action\n\nUpgrade to `justhtml` `1.16.0`.\n\nIf you cannot upgrade immediately:\n\n- do not mutate `DEFAULT_POLICY`, `DEFAULT_DOCUMENT_POLICY`, or nested policy internals\n- avoid reusing policy objects after mutating nested state\n- avoid preserving SVG or MathML for untrusted input\n- avoid preserving `style` or `script` in custom policies for untrusted input\n- avoid serializing untrusted programmatic doctypes or DOM trees\n\n## Credit\n\nDiscovered during an internal security review of `justhtml`.",
"id": "GHSA-4p64-v8f5-r2gx",
"modified": "2026-04-14T20:05:10Z",
"published": "2026-04-14T20:05:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-4p64-v8f5-r2gx"
},
{
"type": "PACKAGE",
"url": "https://github.com/EmilStenstrom/justhtml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Multiple security fixes in justhtml"
}
GHSA-4V2W-H9JM-MQJG
Vulnerability from github – Published: 2020-11-27 16:07 – Updated: 2021-01-07 22:40Impact
command injection vulnerability by prototype pollution
Patches
Problem was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. Please upgrade to version >= 4.30.2
Workarounds
If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite()
For more information
If you have any questions or comments about this advisory:
- Open an issue in systeminformation
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "systeminformation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.30.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26245"
],
"database_specific": {
"cwe_ids": [
"CWE-471",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2020-11-27T15:56:36Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\ncommand injection vulnerability by prototype pollution\n\n### Patches\nProblem was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. Please upgrade to version \u003e= 4.30.2\n\n### Workarounds\nIf you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite()\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [systeminformation](https://github.com/sebhildebrandt/systeminformation/issues/new?template=bug_report.md)",
"id": "GHSA-4v2w-h9jm-mqjg",
"modified": "2021-01-07T22:40:03Z",
"published": "2020-11-27T16:07:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26245"
},
{
"type": "WEB",
"url": "https://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in systeminformation"
}
GHSA-6853-5V4J-V7VG
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2025-04-23 21:30A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). An unauthenticated attacker in the same network of the affected system could manipulate certain parameters and set a valid user of the affected software as invalid (or vice-versa).
{
"affected": [],
"aliases": [
"CVE-2021-37193"
],
"database_specific": {
"cwe_ids": [
"CWE-471"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-14T11:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions \u003c V3.0 SP2). An unauthenticated attacker in the same network of the affected system could manipulate certain parameters and set a valid user of the affected software as invalid (or vice-versa).",
"id": "GHSA-6853-5v4j-v7vg",
"modified": "2025-04-23T21:30:29Z",
"published": "2022-05-24T19:14:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37193"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-334944.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When the data is stored or transmitted through untrusted sources that could modify the data, implement integrity checks to detect unauthorized modification, or store/transmit the data in a trusted location that is free from external influence.
CAPEC-384: Application API Message Manipulation via Man-in-the-Middle
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Adversary-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.
CAPEC-385: Transaction or Event Tampering via Application API Manipulation
An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.
CAPEC-386: Application API Navigation Remapping
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.
CAPEC-387: Navigation Remapping To Propagate Malicious Content
An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.
CAPEC-388: Application API Button Hijacking
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.