NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future releases including for security issues. See issue: #698
Security: mozilla/bleach
Security
SECURITY.md
-
URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in outputGHSA-8rfp-98v4-mmr6 published
Jun 5, 2026 by willkgLow -
Bleach linkify(parse_email=True) CPU exhaustion via unbounded email regex scanningGHSA-g75f-g53v-794x published
Jun 5, 2026 by willkgModerate -
Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributesGHSA-gj48-438w-jh9v published
Jun 5, 2026 by willkgModerate -
mutation XSS via allowed math or svg; p or br; and style, title, noscript, script, textarea, noframes, iframe, or xmp tags with strip_comments=FalseGHSA-vv2x-vrpj-qqpq published
Feb 1, 2021 by g-kModerate -
regular expression denial-of-service (ReDoS) in BleachSanitizerFilter.sanitize_css gauntlet regular expressionGHSA-vqhp-cxgc-6wmm published
Mar 26, 2020 by g-kModerate -
mutation XSS via whitelisted math or svg and RCDATA tag with strip=FalseGHSA-m6xf-fq7q-8743 published
Mar 17, 2020 by g-kModerate -
mutation XSS in bleach.clean when noscript and raw tag whitelistedGHSA-q65m-pv3f-wr5r published
Feb 19, 2020 by g-kModerate
Learn more about advisories related to mozilla/bleach in the GitHub Advisory Database