{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29079", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T20:51:43.483Z", "datePublished": "2026-03-13T17:19:46.025Z", "dateUpdated": "2026-03-16T17:05:28.190Z"}, "containers": {"cna": {"title": "Type Confusion in Lexbor Fragment Parser", "problemTypes": [{"descriptions": [{"cweId": "CWE-843", "lang": "en", "description": "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/lexbor/lexbor/security/advisories/GHSA-mrpr-v36q-2vp8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lexbor/lexbor/security/advisories/GHSA-mrpr-v36q-2vp8"}], "affected": [{"vendor": "lexbor", "product": "lexbor", "versions": [{"version": "< 2.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T17:19:46.025Z"}, "descriptions": [{"lang": "en", "value": "Lexbor is a web browser engine library. Prior to 2.7.0, a type\u2011confusion vulnerability exists in Lexbor\u2019s HTML fragment parser. When ns = UNDEF, a comment is created using the \u201cunknown element\u201d constructor. The comment\u2019s data are written into the element\u2019s fields via an unsafe cast, corrupting the qualified_name field. That corrupted value is later used as a pointer and dereferenced near the zero page. This vulnerability is fixed in 2.7.0."}], "source": {"advisory": "GHSA-mrpr-v36q-2vp8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T17:05:21.350963Z", "id": "CVE-2026-29079", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T17:05:28.190Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29079", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T17:05:21.350963Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T17:05:24.686Z"}}], "cna": {"title": "Type Confusion in Lexbor Fragment Parser", "source": {"advisory": "GHSA-mrpr-v36q-2vp8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "lexbor", "product": "lexbor", "versions": [{"status": "affected", "version": "< 2.7.0"}]}], "references": [{"url": "https://github.com/lexbor/lexbor/security/advisories/GHSA-mrpr-v36q-2vp8", "name": "https://github.com/lexbor/lexbor/security/advisories/GHSA-mrpr-v36q-2vp8", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Lexbor is a web browser engine library. Prior to 2.7.0, a type\u2011confusion vulnerability exists in Lexbor\u2019s HTML fragment parser. When ns = UNDEF, a comment is created using the \u201cunknown element\u201d constructor. The comment\u2019s data are written into the element\u2019s fields via an unsafe cast, corrupting the qualified_name field. That corrupted value is later used as a pointer and dereferenced near the zero page. This vulnerability is fixed in 2.7.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-843", "description": "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T17:19:46.025Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29079", "state": "PUBLISHED", "dateUpdated": "2026-03-16T17:05:28.190Z", "dateReserved": "2026-03-03T20:51:43.483Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-13T17:19:46.025Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lexbor:lexbor:*:*:*:*:*:*:*:*", "matchCriteriaId": "431D7C04-4D6F-4F52-8EAA-60DD304831BD", "versionEndExcluding": "2.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Lexbor is a web browser engine library. Prior to 2.7.0, a type\u2011confusion vulnerability exists in Lexbor\u2019s HTML fragment parser. When ns = UNDEF, a comment is created using the \u201cunknown element\u201d constructor. The comment\u2019s data are written into the element\u2019s fields via an unsafe cast, corrupting the qualified_name field. That corrupted value is later used as a pointer and dereferenced near the zero page. This vulnerability is fixed in 2.7.0."}], "id": "CVE-2026-29079", "lastModified": "2026-03-18T20:20:53.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-13T19:54:32.747", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/lexbor/lexbor/security/advisories/GHSA-mrpr-v36q-2vp8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-843"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "lexbor", "source": "cna", "vendor": "lexbor"}, "product": "lexbor", "vendor": "lexbor"}], "analysis": {"en": {"generated_at": "2026-03-18T21:26:10.822803+00:00", "value": {"mitigation_remediation": ["Update Lexbor to version 2.7.0 or later.", "Verify that the updated library is in use and that no legacy code paths still invoke the old parser.", "If an update is not immediately possible, isolate the usage of Lexbor and scan incoming HTML to prevent the crafting of input that can trigger the parser.", "Monitor security advisories from Lexbor for any additional patches."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw exists in all Lexbor releases prior to 2.7.0. Vendor product: lexbor:lexbor identified by the CPE cpe:2.3:a:lexbor:lexbor:*:*:*:*:*:*:*:. The affected versions are any version before 2.7.0; no narrower range is supplied.", "description_and_impact": "The vulnerability is a type\u2011confusion bug in Lexbor\u2019s HTML fragment parser. When the namespace (ns) value is UNDEF, the parser creates a comment element via the \u201cunknown element\u201d constructor. An unsafe cast writes the comment data into the element\u2019s fields, corrupting the qualified_name field. The corrupted value is later dereferenced as a pointer near the zero page, resulting in a memory corruption that can lead to a crash or potentially allow execution of arbitrary code. This weakness is identified by CWE\u2011843.", "risk_and_exploitability": "The CVSS score of 8.2 indicates a high impact, while the EPSS score of less than 1% suggests the vulnerability is currently low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to supply specially crafted HTML fragments that trigger the parser; thus, it may be exploitable in both remote contexts (e.g., web applications using Lexbor) and local contexts (e.g., client\u2011side rendering) depending on how the library is integrated. Because the defect corrupts memory, it can quickly lead to a denial\u2011of\u2011service or, if the corruption is leveraged, to remote code execution."}}}}, "created": "2026-03-16T09:24:57.139628+00:00", "updated": "2026-03-24T10:39:41.335411+00:00", "vendors": ["lexbor", "lexbor$PRODUCT$lexbor"]}