CVE-2026-47345: Anthropic Python XSS bypass

CISO Take

A namespace attribute encoding flaw in typo3/html-sanitizer before 2.3.2 allows attackers to craft HTML that bypasses the library's XSS prevention mechanism, enabling malicious script execution in victims' browsers. With 5,225 downstream dependents and 7 prior CVEs in the same package, the blast radius across PHP-based web applications — including AI-powered interfaces and CMS deployments that render user or LLM-generated HTML — is significant. Although the raw EPSS score is 0.015%, this CVE ranks in the 96th percentile of all CVEs for exploitation likelihood, and sanitizer bypasses are a well-understood exploitation pattern that attackers actively seek out. Upgrade to typo3/html-sanitizer 2.3.2 immediately and audit any pipeline that passes untrusted or AI-generated HTML through this library before browser rendering.

Sources: NVD GitHub Advisory EPSS ATLAS

What is the risk?

Medium risk overall, elevated for AI web interfaces. The vulnerability is a sanitizer bypass — a class of issue that attackers actively seek because it undermines a core trust boundary rather than a peripheral control. The 96th EPSS percentile indicates above-average exploitation interest relative to the broader CVE population. No public exploit or Nuclei scanner template exists yet, and CISA has not added it to KEV, keeping immediate risk moderate. Risk increases materially for teams using this library to sanitize LLM-generated HTML in web applications, where a prompt-crafted XSS payload could survive sanitization and execute in authenticated operator or end-user sessions.

How does the attack unfold?

Reconnaissance

Attacker identifies the target application uses typo3/html-sanitizer < 2.3.2 via exposed composer.lock, public dependency manifests, or automated dependency scanning tools.

AML.T0000

Payload Crafting

Attacker constructs HTML with SVG or MathML namespace attributes that exploit the encoding flaw to embed JavaScript event handlers that survive sanitization unmodified.

AML.T0043.003

Injection via Application Input

Malicious HTML is submitted through user input, LLM-generated content, or a third-party content feed processed by the vulnerable sanitizer in the target AI-enabled web application.

AML.T0049

XSS Execution and Impact

Victim's browser renders the sanitized-but-malicious HTML, executing attacker-controlled JavaScript to steal session tokens, exfiltrate credentials, or pivot to administrative interfaces of the AI platform.

AML.T0107

Reconnaissance

Attacker identifies the target application uses typo3/html-sanitizer < 2.3.2 via exposed composer.lock, public dependency manifests, or automated dependency scanning tools.

AML.T0000

Payload Crafting

Attacker constructs HTML with SVG or MathML namespace attributes that exploit the encoding flaw to embed JavaScript event handlers that survive sanitization unmodified.

AML.T0043.003

Injection via Application Input

Malicious HTML is submitted through user input, LLM-generated content, or a third-party content feed processed by the vulnerable sanitizer in the target AI-enabled web application.

AML.T0049

XSS Execution and Impact

Victim's browser renders the sanitized-but-malicious HTML, executing attacker-controlled JavaScript to steal session tokens, exfiltrate credentials, or pivot to administrative interfaces of the AI platform.

AML.T0107

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Anthropic Python	composer	< 2.3.2	`2.3.2`
3.6K 5.2K dependents Pushed 6d ago 88% patched ~3d to patch Full package profile →

Do you use Anthropic Python? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.0%

chance of exploitation in 30 days

Higher than 4% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Patch: Upgrade typo3/html-sanitizer to >= 2.3.2 (commit 8b5d0be44ded457ca993ec9ca93d859941c63764). Run composer update typo3/html-sanitizer and verify with composer show typo3/html-sanitizer.
Detection: Grep all composer.json and composer.lock files for typo3/html-sanitizer and flag versions below 2.3.2 across all environments.
Workaround (if immediate patching is blocked): Add a secondary sanitization layer that strips or encodes namespace-containing attributes (SVG/MathML/xlink namespaces) before passing HTML to the library.
LLM-specific: Audit all pipelines where LLM-generated HTML is rendered in a browser — enforce CSP headers and server-side allowed-tag allowlists as defense-in-depth beyond sanitization.
Monitor: Review WAF and CSP violation logs for namespace-attribute XSS patterns targeting SVG, MathML, and xlink namespace abuse.

How is it classified?

Code Execution Data Extraction Framework Plugin AML.T0049 - Exploit Public-Facing Application AML.T0051.001 - Indirect AML.T0093 - Prompt Infiltration via Public-Facing Application AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.8.2 - AI system security

NIST AI RMF

MANAGE-2.2 - Risk treatment for identified AI vulnerabilities

OWASP LLM Top 10

LLM02 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2026-47345?

A namespace attribute encoding flaw in typo3/html-sanitizer before 2.3.2 allows attackers to craft HTML that bypasses the library's XSS prevention mechanism, enabling malicious script execution in victims' browsers. With 5,225 downstream dependents and 7 prior CVEs in the same package, the blast radius across PHP-based web applications — including AI-powered interfaces and CMS deployments that render user or LLM-generated HTML — is significant. Although the raw EPSS score is 0.015%, this CVE ranks in the 96th percentile of all CVEs for exploitation likelihood, and sanitizer bypasses are a well-understood exploitation pattern that attackers actively seek out. Upgrade to typo3/html-sanitizer 2.3.2 immediately and audit any pipeline that passes untrusted or AI-generated HTML through this library before browser rendering.

Is CVE-2026-47345 actively exploited?

No confirmed active exploitation of CVE-2026-47345 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-47345?

1. Patch: Upgrade typo3/html-sanitizer to >= 2.3.2 (commit 8b5d0be44ded457ca993ec9ca93d859941c63764). Run `composer update typo3/html-sanitizer` and verify with `composer show typo3/html-sanitizer`. 2. Detection: Grep all composer.json and composer.lock files for typo3/html-sanitizer and flag versions below 2.3.2 across all environments. 3. Workaround (if immediate patching is blocked): Add a secondary sanitization layer that strips or encodes namespace-containing attributes (SVG/MathML/xlink namespaces) before passing HTML to the library. 4. LLM-specific: Audit all pipelines where LLM-generated HTML is rendered in a browser — enforce CSP headers and server-side allowed-tag allowlists as defense-in-depth beyond sanitization. 5. Monitor: Review WAF and CSP violation logs for namespace-attribute XSS patterns targeting SVG, MathML, and xlink namespace abuse.

What systems are affected by CVE-2026-47345?

This vulnerability affects the following AI/ML architecture patterns: LLM output rendering pipelines, AI-powered content management systems, Agent frameworks with web UI, RAG pipelines with HTML output.

What is the CVSS score for CVE-2026-47345?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

LLM output rendering pipelinesAI-powered content management systemsAgent frameworks with web UIRAG pipelines with HTML output

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0051.001 Indirect

AML.T0093 Prompt Infiltration via Public-Facing Application

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.8.2

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

Namespace attributes are not encoded correctly during HTML serialization. This allows bypassing the cross-site scripting prevention mechanism of `typo3/html-sanitizer` before version 2.3.2. Credits to Doyensec in collaboration with Claude and Anthropic Research for reporting this vulnerability.

Exploitation Scenario

An attacker targeting an AI-powered TYPO3-based web application — for example, a CMS with an LLM content assistant — crafts a prompt that causes the LLM to generate HTML containing SVG or MathML namespace attributes with embedded JavaScript event handlers. When this output is passed through the vulnerable html-sanitizer, the namespace encoding flaw allows the malicious attributes to survive sanitization intact. The sanitized-but-still-malicious HTML is stored in the CMS or immediately rendered to another user such as a content reviewer or site visitor. The injected JavaScript executes in their authenticated browser session, enabling session cookie theft, credential harvesting, or lateral movement into the AI application's administrative interface.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
[Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.