CWE-755
DiscouragedImproper Handling of Exceptional Conditions
Abstraction: Class · Status: Incomplete
The product does not handle or incorrectly handles an exceptional condition.
686 vulnerabilities reference this CWE, most recent first.
GHSA-C474-F694-3XX6
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2022-05-24 17:00A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the PLC when upgrading the firmware with a missing web server image inside the package using FTP protocol.
{
"affected": [],
"aliases": [
"CVE-2019-6842"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-29T19:15:00Z",
"severity": "MODERATE"
},
"details": "A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the PLC when upgrading the firmware with a missing web server image inside the package using FTP protocol.",
"id": "GHSA-c474-f694-3xx6",
"modified": "2022-05-24T17:00:05Z",
"published": "2022-05-24T17:00:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6842"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-281-02"
},
{
"type": "WEB",
"url": "https://www.se.com/ww/en/download/document/SEVD-2019-281-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-C4PM-63CG-9J7H
Vulnerability from github – Published: 2022-12-08 15:52 – Updated: 2025-01-17 17:06Impact
Applications using the Client Hints analysis feature introduced with 7.0.0 can crash because the Yauaa library throws an ArrayIndexOutOfBoundsException. Applications that do not use this feature are not affected.
Patches
Upgrade to 7.9.0
Workarounds
Catch and discard any exceptions from Yauaa.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "nl.basjes.parse.useragent:yauaa"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "nl.basjes.parse.useragent:yauaa-beam"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "nl.basjes.parse.useragent:yauaa-beam-sql"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "nl.basjes.parse.useragent:yauaa-drill"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "nl.basjes.parse.useragent:yauaa-elasticsearch"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "nl.basjes.parse.useragent:yauaa-elasticsearch-8"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "nl.basjes.parse.useragent:yauaa-flink"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "nl.basjes.parse.useragent:yauaa-flink-table"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "nl.basjes.parse.useragent:yauaa-hive"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "nl.basjes.parse.useragent:yauaa-logparser"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "nl.basjes.parse.useragent:yauaa-snowflake"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "nl.basjes.parse.useragent:yauaa-trino"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23496"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-08T15:52:54Z",
"nvd_published_at": "2022-12-08T22:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nApplications using the Client Hints analysis feature introduced with 7.0.0 can crash because the Yauaa library throws an ArrayIndexOutOfBoundsException. Applications that do not use this feature are not affected.\n\n### Patches\nUpgrade to 7.9.0\n\n### Workarounds\nCatch and discard any exceptions from Yauaa.\n",
"id": "GHSA-c4pm-63cg-9j7h",
"modified": "2025-01-17T17:06:53Z",
"published": "2022-12-08T15:52:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nielsbasjes/yauaa/security/advisories/GHSA-c4pm-63cg-9j7h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23496"
},
{
"type": "WEB",
"url": "https://github.com/nielsbasjes/yauaa/commit/3017a866e2cff0d308f264b66fde4fa79e3beb9e"
},
{
"type": "PACKAGE",
"url": "https://github.com/nielsbasjes/yauaa"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Yauaa vulnerable to ArrayIndexOutOfBoundsException triggered by a crafted Sec-Ch-Ua-Full-Version-List"
}
GHSA-C5VR-66HV-6685
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-05-24 16:58The flowd process, responsible for forwarding traffic in SRX Series services gateways, may crash and restart when processing specific transit IP packets through an IPSec tunnel. Continued processing of these packets may result in an extended Denial of Service (DoS) condition. This issue only occurs when IPSec tunnels are configured. Systems without IPSec tunnel configurations are not vulnerable to this issue. This issue affects Juniper Networks Junos OS: 15.1X49 versions prior to 15.1X49-D171, 15.1X49-D180 on SRX Series; 18.2 versions 18.2R2-S1 and later, prior to 18.2R3 on SRX Series; 18.4 versions prior to 18.4R2 on SRX Series.
{
"affected": [],
"aliases": [
"CVE-2019-0060"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-09T20:15:00Z",
"severity": "HIGH"
},
"details": "The flowd process, responsible for forwarding traffic in SRX Series services gateways, may crash and restart when processing specific transit IP packets through an IPSec tunnel. Continued processing of these packets may result in an extended Denial of Service (DoS) condition. This issue only occurs when IPSec tunnels are configured. Systems without IPSec tunnel configurations are not vulnerable to this issue. This issue affects Juniper Networks Junos OS: 15.1X49 versions prior to 15.1X49-D171, 15.1X49-D180 on SRX Series; 18.2 versions 18.2R2-S1 and later, prior to 18.2R3 on SRX Series; 18.4 versions prior to 18.4R2 on SRX Series.",
"id": "GHSA-c5vr-66hv-6685",
"modified": "2022-05-24T16:58:12Z",
"published": "2022-05-24T16:58:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0060"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA10959"
},
{
"type": "WEB",
"url": "https://www.juniper.net/documentation/en_US/junos/topics/topic-map/ipsec-tunnel-traffic-configuration.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-C5W8-CWH4-JH73
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36fedora-arm-installer up to and including 1.99.16 is vulnerable to local privilege escalation due to lack of checking the error condition of mount operation failure on unsafely created temporary directories.
{
"affected": [],
"aliases": [
"CVE-2017-7496"
],
"database_specific": {
"cwe_ids": [
"CWE-391",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-26T14:29:00Z",
"severity": "HIGH"
},
"details": "fedora-arm-installer up to and including 1.99.16 is vulnerable to local privilege escalation due to lack of checking the error condition of mount operation failure on unsafely created temporary directories.",
"id": "GHSA-c5w8-cwh4-jh73",
"modified": "2022-05-13T01:36:20Z",
"published": "2022-05-13T01:36:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7496"
},
{
"type": "WEB",
"url": "https://pagure.io/arm-image-installer/pull-request/10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C5X8-2V3C-Q27C
Vulnerability from github – Published: 2023-04-18 00:32 – Updated: 2024-04-04 03:31An Improper Check or Handling of Exceptional Conditions vulnerability in packet processing on the network interfaces of Juniper Networks Junos OS on JRR200 route reflector appliances allows an adjacent, network-based attacker sending a specific packet to the device to cause a kernel crash, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue can only be triggered by an attacker on the local broadcast domain. Packets routed to the device are unable to trigger this crash. This issue affects Juniper Networks Junos OS on JRR200: All versions prior to 21.2R3-S4; 21.3 versions prior to 21.3R3-S4; 21.4 versions prior to 21.4R3-S3; 22.1 versions prior to 22.1R3-S1; 22.2 versions prior to 22.2R2-S2, 22.2R3; 22.3 versions prior to 22.3R1-S2, 22.3R2; 22.4 versions prior to 22.4R1-S1, 22.4R2.
{
"affected": [],
"aliases": [
"CVE-2023-28970"
],
"database_specific": {
"cwe_ids": [
"CWE-703",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-17T22:15:09Z",
"severity": "MODERATE"
},
"details": "An Improper Check or Handling of Exceptional Conditions vulnerability in packet processing on the network interfaces of Juniper Networks Junos OS on JRR200 route reflector appliances allows an adjacent, network-based attacker sending a specific packet to the device to cause a kernel crash, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue can only be triggered by an attacker on the local broadcast domain. Packets routed to the device are unable to trigger this crash. This issue affects Juniper Networks Junos OS on JRR200: All versions prior to 21.2R3-S4; 21.3 versions prior to 21.3R3-S4; 21.4 versions prior to 21.4R3-S3; 22.1 versions prior to 22.1R3-S1; 22.2 versions prior to 22.2R2-S2, 22.2R3; 22.3 versions prior to 22.3R1-S2, 22.3R2; 22.4 versions prior to 22.4R1-S1, 22.4R2.",
"id": "GHSA-c5x8-2v3c-q27c",
"modified": "2024-04-04T03:31:29Z",
"published": "2023-04-18T00:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28970"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA70594"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C6HX-PJC3-7FQR
Vulnerability from github – Published: 2022-10-10 21:23 – Updated: 2022-10-13 20:08Impact
There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service.
Patches
Traefik v2.8.x: https://github.com/traefik/traefik/releases/tag/v2.8.8 Traefik v2.9.x: https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5
Workarounds
No workaround.
For more information
If you have any questions or comments about this advisory, please open an issue.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0-rc1"
},
{
"fixed": "2.9.0-rc5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39271"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-10T21:23:30Z",
"nvd_published_at": "2022-10-11T14:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThere is a potential vulnerability in Traefik managing HTTP/2 connections.\nA closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service.\n\n### Patches\n\nTraefik v2.8.x: https://github.com/traefik/traefik/releases/tag/v2.8.8\nTraefik v2.9.x: https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5\n\n### Workarounds\n\nNo workaround.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n",
"id": "GHSA-c6hx-pjc3-7fqr",
"modified": "2022-10-13T20:08:57Z",
"published": "2022-10-10T21:23:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-c6hx-pjc3-7fqr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39271"
},
{
"type": "PACKAGE",
"url": "https://github.com/traefik/traefik"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v2.8.8"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Traefik HTTP/2 connections management could cause a denial of service"
}
GHSA-C8RX-QGHV-2WWG
Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-19 00:01In atf (hwfde), there is a possible leak of sensitive information due to incorrect error handling. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06171729; Issue ID: ALPS06171729.
{
"affected": [],
"aliases": [
"CVE-2022-20066"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-11T20:15:00Z",
"severity": "MODERATE"
},
"details": "In atf (hwfde), there is a possible leak of sensitive information due to incorrect error handling. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06171729; Issue ID: ALPS06171729.",
"id": "GHSA-c8rx-qghv-2wwg",
"modified": "2022-04-19T00:01:24Z",
"published": "2022-04-12T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20066"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/April-2022"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/May-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C9VM-HV86-F23R
Vulnerability from github – Published: 2026-04-10 19:20 – Updated: 2026-04-15 20:44Summary
justhtml 1.15.0 includes multiple security fixes affecting URL sanitization helpers, HTML serialization, Markdown passthrough, and several custom sanitization-policy edge cases.
These issues have different impact levels and do not all affect the default configuration in the same way.
Affected versions
justhtml<= 1.14.0
Fixed version
justhtml1.15.0released on April 9, 2026
Impact overview
Helper and serialization issues
These issues could affect applications using JustHTML helpers or programmatic DOM construction, even outside the default HTML sanitization path.
JustHTML.clean_url_value(...)andclean_url_in_js_string(...)could accept URL values such asjavascript:..., which became activejavascript:URLs after HTML attribute parsing.- URL sanitization could treat values like
\\evil.example/xor/\\evil.example/xas safe relative URLs even though browsers could resolve them as remote requests. - Malformed bracketed hosts such as
https://[evil.example]/xcould raise exceptions and crash sanitization when host allowlists were used. - Programmatic element or attribute names containing markup-breaking characters could be serialized into active HTML.
- Programmatic HTML comments containing
-->could break out of the comment and inject live markup.
Markdown passthrough issue
to_markdown(html_passthrough=True)could reintroduce active HTML from sanitized<textarea>content by emitting a raw closing</textarea>sequence.
Custom policy issues
These issues affected custom policies more than the default safe configuration.
a[ping]was handled as a single URL even though browsers interpret it as a space-separated URL list.attributionsrcwas not treated as URL-bearing and could preserve attacker-controlled reporting endpoints.link[imagesrcset]was not treated as URL-bearing and could preserve attacker-controlled image candidates.- Preserved
<meta http-equiv="refresh">tags could keep redirect targets without URL-policy enforcement. - Preserved
<base href>tags could rewrite how later relative URLs resolved in the browser. - Preserved
<style>blocks could keep resource-loading CSS such as@import,url(...), orimage-set(...). - Mixed-case attribute names in custom transform pipelines could bypass or confuse security-related transforms such as
DropAttrs(...),DropUrlAttrs(...),AllowStyleAttrs(...), andMergeAttrs(...).
Default configuration
Most of the custom-policy issues above did not affect the default JustHTML(..., sanitize=True) behavior.
The main exceptions were:
- helper APIs such as clean_url_value(...)
- programmatic DOM / serializer usage
- applications explicitly using html_passthrough=True
- applications using custom policies or custom transform pipelines
Recommended action
Upgrade to justhtml 1.15.0.
If you cannot upgrade immediately:
- avoid
html_passthrough=Truefor untrusted content - avoid preserving
<style>,<meta http-equiv="refresh">, and<base href>in custom policies - avoid allowing
ping,attributionsrc, orimagesrcsetunless you explicitly validate them - avoid serializing untrusted programmatic node names, attribute names, or comment data
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.14.0"
},
"package": {
"ecosystem": "PyPI",
"name": "justhtml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.15.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-178",
"CWE-20",
"CWE-755",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T19:20:04Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\n`justhtml` `1.15.0` includes multiple security fixes affecting URL sanitization helpers, HTML serialization, Markdown passthrough, and several custom sanitization-policy edge cases.\n\nThese issues have different impact levels and do not all affect the default configuration in the same way.\n\n## Affected versions\n\n- `justhtml` `\u003c= 1.14.0`\n\n## Fixed version\n\n- `justhtml` `1.15.0` released on April 9, 2026\n\n## Impact overview\n\n### Helper and serialization issues\nThese issues could affect applications using JustHTML helpers or programmatic DOM construction, even outside the default HTML sanitization path.\n\n- `JustHTML.clean_url_value(...)` and `clean_url_in_js_string(...)` could accept URL values such as `javascript\u0026#58...`, which became active `javascript:` URLs after HTML attribute parsing.\n- URL sanitization could treat values like `\\\\evil.example/x` or `/\\\\evil.example/x` as safe relative URLs even though browsers could resolve them as remote requests.\n- Malformed bracketed hosts such as `https://[evil.example]/x` could raise exceptions and crash sanitization when host allowlists were used.\n- Programmatic element or attribute names containing markup-breaking characters could be serialized into active HTML.\n- Programmatic HTML comments containing `--\u003e` could break out of the comment and inject live markup.\n\n### Markdown passthrough issue\n- `to_markdown(html_passthrough=True)` could reintroduce active HTML from sanitized `\u003ctextarea\u003e` content by emitting a raw closing `\u003c/textarea\u003e` sequence.\n\n### Custom policy issues\nThese issues affected custom policies more than the default safe configuration.\n\n- `a[ping]` was handled as a single URL even though browsers interpret it as a space-separated URL list.\n- `attributionsrc` was not treated as URL-bearing and could preserve attacker-controlled reporting endpoints.\n- `link[imagesrcset]` was not treated as URL-bearing and could preserve attacker-controlled image candidates.\n- Preserved `\u003cmeta http-equiv=\"refresh\"\u003e` tags could keep redirect targets without URL-policy enforcement.\n- Preserved `\u003cbase href\u003e` tags could rewrite how later relative URLs resolved in the browser.\n- Preserved `\u003cstyle\u003e` blocks could keep resource-loading CSS such as `@import`, `url(...)`, or `image-set(...)`.\n- Mixed-case attribute names in custom transform pipelines could bypass or confuse security-related transforms such as `DropAttrs(...)`, `DropUrlAttrs(...)`, `AllowStyleAttrs(...)`, and `MergeAttrs(...)`.\n\n## Default configuration\n\nMost of the custom-policy issues above did **not** affect the default `JustHTML(..., sanitize=True)` behavior.\n\nThe main exceptions were:\n- helper APIs such as `clean_url_value(...)`\n- programmatic DOM / serializer usage\n- applications explicitly using `html_passthrough=True`\n- applications using custom policies or custom transform pipelines\n\n## Recommended action\n\nUpgrade to `justhtml` `1.15.0`.\n\nIf you cannot upgrade immediately:\n\n- avoid `html_passthrough=True` for untrusted content\n- avoid preserving `\u003cstyle\u003e`, `\u003cmeta http-equiv=\"refresh\"\u003e`, and `\u003cbase href\u003e` in custom policies\n- avoid allowing `ping`, `attributionsrc`, or `imagesrcset` unless you explicitly validate them\n- avoid serializing untrusted programmatic node names, attribute names, or comment data",
"id": "GHSA-c9vm-hv86-f23r",
"modified": "2026-04-15T20:44:03Z",
"published": "2026-04-10T19:20:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-c9vm-hv86-f23r"
},
{
"type": "PACKAGE",
"url": "https://github.com/EmilStenstrom/justhtml"
},
{
"type": "WEB",
"url": "https://github.com/EmilStenstrom/justhtml/compare/v1.14.0...v1.15.0"
},
{
"type": "WEB",
"url": "https://github.com/EmilStenstrom/justhtml/releases/tag/v1.15.0"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "justhtml includes multiple security fixes"
}
GHSA-CCGJ-PH26-HF87
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36Certain 802.11 network management messages have been determined to invoke wireless access point blacklisting security defenses when not required, which can necessitate intervention by hospital staff to reset the device and reestablish a network connection to the Wi-Fi access point. During this state, the Philips IntelliVue MX40 Version B.06.18 can either connect to an alternative access point within signal range for association to a central monitoring station, or it can remain in local monitoring mode until the device is reset by hospital staff. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point.
{
"affected": [],
"aliases": [
"CVE-2017-9658"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-30T15:29:00Z",
"severity": "MODERATE"
},
"details": "Certain 802.11 network management messages have been determined to invoke wireless access point blacklisting security defenses when not required, which can necessitate intervention by hospital staff to reset the device and reestablish a network connection to the Wi-Fi access point. During this state, the Philips IntelliVue MX40 Version B.06.18 can either connect to an alternative access point within signal range for association to a central monitoring station, or it can remain in local monitoring mode until the device is reset by hospital staff. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point.",
"id": "GHSA-ccgj-ph26-hf87",
"modified": "2022-05-13T01:36:04Z",
"published": "2022-05-13T01:36:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9658"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01"
},
{
"type": "WEB",
"url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100813"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CFCV-4R42-7465
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17An Improper Handling of Exceptional Conditions vulnerability in the processing of a transit or directly received malformed IPv6 packet in Juniper Networks Junos OS results in a kernel crash, causing the device to restart, leading to a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue only affects systems with IPv6 configured. Devices with only IPv4 configured are not vulnerable to this issue. This issue affects Juniper Networks Junos OS: 19.4 versions prior to 19.4R3; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R1-S1, 20.2R2. This issue does not affect Juniper Networks Junos OS versions prior to 19.4R1.
{
"affected": [],
"aliases": [
"CVE-2021-0299"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-19T19:15:00Z",
"severity": "HIGH"
},
"details": "An Improper Handling of Exceptional Conditions vulnerability in the processing of a transit or directly received malformed IPv6 packet in Juniper Networks Junos OS results in a kernel crash, causing the device to restart, leading to a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue only affects systems with IPv6 configured. Devices with only IPv4 configured are not vulnerable to this issue. This issue affects Juniper Networks Junos OS: 19.4 versions prior to 19.4R3; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R1-S1, 20.2R2. This issue does not affect Juniper Networks Junos OS versions prior to 19.4R1.",
"id": "GHSA-cfcv-4r42-7465",
"modified": "2022-05-24T19:17:55Z",
"published": "2022-05-24T19:17:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0299"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA11213"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.