Bleach 3.3.0 includes a fix for CVE-2021-23980: A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.

Affected versions of the Bleach package are vulnerable to Cross-site Scripting (XSS) due to improper handling of whitelisted tags in the bleach.clean function. The vulnerability exists because the bleach.clean function allows certain raw tags, such as "noscript" and "script", to be whitelisted, which can lead to unintended HTML mutations. An attacker can exploit this by crafting malicious HTML content that includes these tags, potentially executing arbitrary scripts in the context of the user's browser session.

Bleach 3.1.2 includes a fix for CVE-2020-6816: Mutation XSS via whitelisted math or svg and RCDATA tag with strip=False.
https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743

Bleach 3.1.4 includes a fix for CVE-2020-6817: bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).