Intel

AIKIDO-2026-894271

ammonia is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 1, 2026

59

Medium Risk

This Affects:

RUSTammonia
3.2.0 - 3.3.1
Fixed in 3.3.2
4.0.0 - 4.0.1
Fixed in 4.0.2
4.1.0 - 4.1.2
Fixed in 4.1.3
Are you affected? Scan for Free

TL;DR

ammonia cleans HTML by removing disallowed elements and validating namespace transitions between each parent and child node. When a configuration permits the MathML annotation-xml element, the cleaner treats it as an HTML or SVG integration point without checking its encoding attribute, so its children are assumed to leave the MathML namespace. Untrusted markup placed under such an element can survive cleaning and then change namespace when a browser re-parses the serialized output, producing mutation XSS that executes script. The fix only treats annotation-xml as an integration point when its encoding attribute is a recognized HTML or SVG media type.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your configuration explicitly allows MathML annotation-xml along with a raw-text element such as xmp.

Background info

ammonia is vulnerable to Cross-Site Scripting (XSS) in versions 3.2.0 - 3.3.1, 4.0.0 - 4.0.1 and 4.1.0 - 4.1.2.

How to fix this

Upgrade the ammonia library to the patch version.