CVE-2024-26151: 
Python vulnerability analysis and mitigation

The CVE-2024-26151 affects the mjml PyPI package (FelixSchwarz/mjml-python), an unofficial Python port of MJML markup language created by Mailjet. The vulnerability was discovered in version 0.10.0 and fixed in version 0.11.0, with versions before 0.10.0 not being affected. The issue was reported by @sh-at-cs and disclosed on February 22, 2024 (GitHub Advisory).

The vulnerability occurs when escaped HTML entities like <script> are unescaped in the final HTML output, potentially allowing injection of untrusted user data. The CVSS v3.1 base score is 8.2 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L. The issue is classified as CWE-79 (Cross-site Scripting) by NIST and CWE-20 (Improper Input Validation) by GitHub (NVD).

The vulnerability allows attackers to control the contents of email messages sent through the platform when they can inject data into mjml templates. This affects all users of mjml-python who insert untrusted data into mjml templates unless that data is checked in a very strict manner (GitHub Advisory).

The vulnerability has been fixed in version 0.11.0 of the library. For users who cannot immediately upgrade, the recommended workaround is to ensure that potentially untrusted user input does not contain any sequences which could be rendered as HTML (GitHub Advisory).

The issue was initially reported through GitHub Issues (#52) by user sh-at-cs, who demonstrated the security concern by showing how escaped HTML tags were being unescaped during rendering. The project maintainer promptly addressed the issue by releasing version 0.11.0 (GitHub Release).