CVE-2026-63430
mXSS in ammonia via MathML `annotation-xml` encoding strip
Description
If a certain set of MathML tags are enabled, an attacker can inject arbitrary JavaScript code into the user's browser. The `annotation-xml` tag has slightly different behavior than the other "integration point" tags in MathML and SVG, but ammonia didn't handle it, so it didn't correctly strip the namespace-incompatible tags. This vulnerability only has an effect when the `math` and `annotation-xml` tags are both enabled, but the `encoding` attribute is disabled, because it relies on the following sequence of steps: 1. User writes code like `<math><annotation-xml encoding="text/html"><gadget></annotation-xml></math>`. 2. Namespace filtering checks the DOM, and it passes. `<gadget>` is parsed as HTML. 3. Attribute filter strips it down to `<math><annotation-xml><gadget></annotation-xml></math>`. Because the encoding attribute is gone, `<gadget>` is now parsed as MathML. 4. The gadget is written in such a way that it exploits the parsing differences between HTML and MathML. Additionally, the gadget can only be written using a tag that is parsed as raw text in HTML. These [elements] are: * title * textarea * xmp * iframe * noembed * noframes * plaintext * noscript * style * script Applications that do not explicitly allow any of these tags should not be affected, since none are allowed by default. [elements]: https://github.com/servo/html5ever/blob/045a0378f2b0f8d4a350793899cf722a2a9b3d11/html5ever/src/tree_builder/rules.rs --- **Discovered by:** [Ivan Ivančić](https://ivan09999.github.io/ammonia-mxss) · **Date:** 2026-06-29 · Found via local differential analysis and source review of ammonia's sanitisation pipeline; no third-party systems were tested.
How to fix CVE-2026-63430
To remediate CVE-2026-63430, upgrade the affected package to a fixed version below.
- —upgrade to 3.3.2 or later
Is CVE-2026-63430 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-63430.
Affected packages (1)
- >= 0.0.0-0, < 3.3.2, >= 4.0.0, < 4.0.2, >= 4.1.0, < 4.1.3