RUSTSEC-2026-0193

Source
https://rustsec.org/advisories/RUSTSEC-2026-0193
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0193.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0193
Aliases
  • GHSA-9jh8-v38h-cvhr
Published
2026-06-30T12:00:00Z
Modified
2026-07-01T05:15:04.006923605Z
Summary
mXSS in ammonia via MathML `annotation-xml` encoding strip
Details

If a certain set of MathML tags are enabled, an attacker can inject arbitrary JavaScript code into the user's browser.

The annotation-xml tag has slightly different behavior than the other "integration point" tags in MathML and SVG, but ammonia didn't handle it, so it didn't correctly strip the namespace-incompatible tags.

This vulnerability only has an effect when the math and annotation-xml tags are both enabled, but the encoding attribute is disabled, because it relies on the following sequence of steps:

  1. User writes code like <math><annotation-xml encoding="text/html"><gadget></annotation-xml></math>.
  2. Namespace filtering checks the DOM, and it passes. <gadget> is parsed as HTML.
  3. Attribute filter strips it down to <math><annotation-xml><gadget></annotation-xml></math>. Because the encoding attribute is gone, <gadget> is now parsed as MathML.
  4. The gadget is written in such a way that it exploits the parsing differences between HTML and MathML.

Additionally, the gadget can only be written using a tag that is parsed as raw text in HTML. These [elements] are:

  • title
  • textarea
  • xmp
  • iframe
  • noembed
  • noframes
  • plaintext
  • noscript
  • style
  • script

Applications that do not explicitly allow any of these tags should not be affected, since none are allowed by default.


Discovered by: ivan0912 (YesWeHack) · Date: 2026-06-29 · Found via local differential analysis and source review of ammonia's sanitisation pipeline; no third-party systems were tested.

Database specific
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / ammonia

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
3.3.2
Introduced
4.0.0
Fixed
4.0.2
Introduced
4.1.0
Fixed
4.1.3

Ecosystem specific

{
    "affects": {
        "arch": [],
        "os": [],
        "functions": []
    },
    "affected_functions": null
}

Database specific

categories
[
    "format-injection"
]
source
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0193.json"
cvss
null
informational
null