{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "1.0.0"
              },
              {
                "fixed": "1.0.7"
              }
            ]
          },
          "events": [
            {
              "introduced": "ca1c30b9b5c160024257f456606b1f3f17138ca6"
            },
            {
              "fixed": "37f1d10d762cf8019594ff596d9207f7551001ad"
            }
          ],
          "repo": "https://github.com/typo3/html-sanitizer",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "2.0.0"
              },
              {
                "fixed": "2.0.16"
              }
            ]
          },
          "events": [
            {
              "introduced": "b32bbd462406f28d1fca4bde8a8cd8b49a4bdd39"
            },
            {
              "fixed": "60bfdc7f9b394d0236e16ee4cea8372a7defa493"
            }
          ],
          "repo": "https://github.com/typo3/html-sanitizer",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-47m6-46mj-p235"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36020.json"
  },
  "details": "The typo3/html-sanitizer package is an HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. Due to a parsing issue in the upstream package `masterminds/html5`, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows for a bypass of the cross-site scripting mechanism of `typo3/html-sanitizer`. This issue has been addressed in versions 1.0.7 and 2.0.16 of the `typo3/html-sanitizer` package. Users are advised to upgrade. There are no known workarounds for this issue.",
  "id": "CVE-2022-36020",
  "modified": "2026-04-01T23:08:01.829107689Z",
  "published": "2022-09-13T16:55:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/masterminds/html5"
    },
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/typo3/html-sanitizer"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36020.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-47m6-46mj-p235"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36020"
    },
    {
      "type": "FIX",
      "url": "https://github.com/TYPO3/html-sanitizer/commit/60bfdc7f9b394d0236e16ee4cea8372a7defa493"
    }
  ],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Bypass of Cross-Site Scripting Protection in typo3/html-sanitizer"
}