GCVE - cpe:2.3:a:mozilla:bleach:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:mozilla:bleach:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Mozilla (`be1b0d4e-21a7-5a25-9982-bbda6ef43ec1`)
Product	Bleach (`fad9e719-9258-54e5-856e-491adb503e82`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/python-bleach`	purl2cpe	2026-06-01 10:17:53.151921
`pkg:deb/ubuntu/python-bleach`	purl2cpe	2026-06-01 10:17:53.151924
`pkg:github/mozilla/bleach`	purl2cpe	2026-06-01 10:17:53.151926
`pkg:pypi/bleach`	purl2cpe	2026-06-01 10:17:53.151929
`pkg:rpm/fedora/python-bleach`	purl2cpe	2026-06-01 10:17:53.151932
`pkg:rpm/opensuse/python-bleach`	purl2cpe	2026-06-01 10:17:53.151935

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2021-23980`	vulnerable	2026-06-03 14:43:55.913214	Details available A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True. Published: 2023-02-16T00:00:00.000Z Updated: 2025-03-19T15:18:23.189Z Open on db.gcve.eu Reference links https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2021-23980	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-6817`	vulnerable	2026-06-03 14:42:59.151114	Details available bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}). Published: 2023-02-16T00:00:00.000Z Updated: 2025-03-19T15:21:23.888Z Open on db.gcve.eu Reference links https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm https://bugzilla.mozilla.org/show_bug.cgi?id=1623633	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-6816`	vulnerable	2026-06-03 14:42:59.144187	Details available In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False. Published: 2020-03-24T21:15:40.000Z Updated: 2024-08-04T09:11:05.111Z Open on db.gcve.eu Reference links https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743 https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EDQU2SZLZMSSACCBUBJ6NOSRNNBDYFW5/ https://advisory.checkmarx.net/advisory/CX-2020-4277	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-6802`	vulnerable	2026-06-03 14:42:59.137111	Details available In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option. Published: 2020-03-24T21:13:04.000Z Updated: 2024-08-04T09:11:05.145Z Open on db.gcve.eu Reference links https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/ https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.