diff --git a/SOURCES/CVE-2021-28957.patch b/SOURCES/CVE-2021-28957.patch
new file mode 100644
index 0000000..0368606
--- /dev/null
+++ b/SOURCES/CVE-2021-28957.patch
@@ -0,0 +1,39 @@
+diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
+index caf6b21..ea3c016 100644
+--- a/src/lxml/html/defs.py
++++ b/src/lxml/html/defs.py
+@@ -21,6 +21,8 @@ link_attrs = frozenset([
+     'usemap',
+     # Not standard:
+     'dynsrc', 'lowsrc',
++    # HTML5 formaction
++    'formaction'
+     ])
+ 
+ # Not in the HTML 4 spec:
+diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
+index 451eec2..e40cdad 100644
+--- a/src/lxml/html/tests/test_clean.py
++++ b/src/lxml/html/tests/test_clean.py
+@@ -89,6 +89,21 @@ class CleanerTest(unittest.TestCase):
+             b'<math><style>/* deleted */</style></math>',
+             lxml.html.tostring(clean_html(s)))
+ 
++    def test_formaction_attribute_in_button_input(self):
++        # The formaction attribute overrides the form's action and should be
++        # treated as a malicious link attribute
++        html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
++        '<button form="test" formaction="javascript:alert(1)">X</button>')
++        expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
++        '<button form="test" formaction="">X</button></div>')
++        cleaner = Cleaner(
++            forms=False,
++            safe_attrs_only=False,
++        )
++        self.assertEqual(
++            expected,
++            cleaner.clean_html(html))
++
+ 
+ def test_suite():
+     suite = unittest.TestSuite()
diff --git a/SPECS/python-lxml.spec b/SPECS/python-lxml.spec
index 51cb0a2..87cf28c 100644
--- a/SPECS/python-lxml.spec
+++ b/SPECS/python-lxml.spec
@@ -11,7 +11,7 @@
 
 Name:           python-%{modname}
 Version:        4.2.3
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API
 
 License:        BSD
@@ -27,6 +27,11 @@ Source0:        http://lxml.de/files/%{modname}-%{version}.tgz
 #   https://github.com/lxml/lxml/commit/4cb57362deb23bca0f70f41ab1efa13390fcdbb1
 Patch0:         CVE-2020-27783.patch
 
+# Fix for CVE-2021-28957: missing input sanitization
+# for formaction HTML5 attributes which may lead to XSS
+# Fixed upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
+Patch1: CVE-2021-28957.patch
+
 BuildRequires:  gcc
 BuildRequires:  libxml2-devel
 BuildRequires:  libxslt-devel
@@ -118,6 +123,10 @@ export WITH_CYTHON=true
 
 
 %changelog
+* Wed Mar 24 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-5
+- Security fix for CVE-2021-28957
+Resolves: rhbz#1941534
+
 * Tue Dec 08 2020 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-4
 - Security fix for CVE-2020-27783: mXSS due to the use of improper parser
 Resolves: rhbz#1901633