CVE-2026-47344
LowCVSS 2.1Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
When the ALLOW_INSECURE_RAW_TEXT option is enabled, whitespace-variant closing tags (e.g., </style >) are not recognized by the sanitizer but accepted by browsers as valid end tags. This allows bypassing the XSS prevention mechanism in typo3/html-sanitizer before version 2.3.2.
Risk Assessment
Organizations may be exposed to XSS attacks, potentially leading to user data theft or session hijacking. Exploiting this vulnerability can compromise the integrity of web applications.
Recommendation
It is recommended to upgrade to version 2.3.2 or later to eliminate this vulnerability. Additionally, consider disabling the ALLOW_INSECURE_RAW_TEXT option to enhance application security.
Original NVD description (English source)
When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\t>) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.

