- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- Adrian Bunk
- Date:
- 2026-06-18 21:33:02 UTC
- Severity:
- normal
- Tags:
- CVE-2026-28348: CSS @import Filter Bypass via Unicode Escapes
- CVE-2026-28350: <base> tag injection through default Cleaner
configuration
The only code changes in the new upstream releases are the CVE fixes
in clean.py, everything else are test/CI/documentation changes
(including testcases for the CVEs).