Vulnerability in Lexbor

CVE-2026-29079

Lexbor is a web browser engine library. Prior to 2.7.0, a type‑confusion vulnerability exists in Lexbor’s HTML fragment parser. When ns = UNDEF, a comment is created using the “unknown element” constructor. The comment’s data are written i…

EPSS: 0.001 (19.8th percentile) — read the EPSS interpretation.

Affected products

Lexbor — versions < 2.7.0

Weakness classification (CWE)

CWE-843 — Access of Resource Using Incompatible Type (Type Confusion)

References

https://github.com/lexbor/lexbor/security/advisories/GHSA-mrpr-v36q-2vp8 (x_refsource_CONFIRM)