Updated lxml packages has been released for Debian GNU/Linux 8 LTS
Package : lxml
Version : 3.4.0-1+deb8u1
CVE ID : CVE-2018-19787
It was discovered that there was a XSS injection vulnerability in
the LXML HTML/XSS manipulation library for Python.
LXML did not remove "javascript:" URLs that used escaping such as
"j a v a s c r i p t". This is a similar issue to CVE-2014-3146.
For Debian 8 "Jessie", this issue has been fixed in lxml version
3.4.0-1+deb8u1.
We recommend that you upgrade your lxml packages.