diff --git a/SOURCES/CVE-2020-27783.patch b/SOURCES/CVE-2020-27783.patch
new file mode 100644
index 0000000..438f7c1
--- /dev/null
+++ b/SOURCES/CVE-2020-27783.patch
@@ -0,0 +1,139 @@
+From db649273fd6a2e3a624545b6fd14e8d8029198f8 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 3 Dec 2020 11:53:15 +0100
+Subject: [PATCH] CVE-2020-27783
+
+Combines fixes for the CVE from two versions:
+- Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
+- Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
+---
+ src/lxml/html/clean.py             | 25 +++++++++++++++++--------
+ src/lxml/html/tests/test_clean.py  | 21 +++++++++++++++++++++
+ src/lxml/html/tests/test_clean.txt | 12 ++++++++++--
+ 3 files changed, 48 insertions(+), 10 deletions(-)
+
+diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
+index aa9fc57..15298b5 100644
+--- a/src/lxml/html/clean.py
++++ b/src/lxml/html/clean.py
+@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
+ 
+ # This is an IE-specific construct you can have in a stylesheet to
+ # run some Javascript:
+-_css_javascript_re = re.compile(
+-    r'expression\s*\(.*?\)', re.S|re.I)
++_replace_css_javascript = re.compile(
++    r'expression\s*\(.*?\)', re.S|re.I).sub
+ 
+ # Do I have to worry about @\nimport?
+-_css_import_re = re.compile(
+-    r'@\s*import', re.I)
++_replace_css_import = re.compile(
++    r'@\s*import', re.I).sub
++
++_looks_like_tag_content = re.compile(
++    r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', re.ASCII).search
+ 
+ # All kinds of schemes besides just javascript: that can cause
+ # execution:
+@@ -292,8 +295,8 @@ class Cleaner(object):
+             if not self.inline_style:
+                 for el in _find_styled_elements(doc):
+                     old = el.get('style')
+-                    new = _css_javascript_re.sub('', old)
+-                    new = _css_import_re.sub('', new)
++                    new = _replace_css_javascript('', old)
++                    new = _replace_css_import('', new)
+                     if self._has_sneaky_javascript(new):
+                         # Something tricky is going on...
+                         del el.attrib['style']
+@@ -305,9 +308,9 @@ class Cleaner(object):
+                         el.drop_tree()
+                         continue
+                     old = el.text or ''
+-                    new = _css_javascript_re.sub('', old)
++                    new = _replace_css_javascript('', old)
+                     # The imported CSS can do anything; we just can't allow:
+-                    new = _css_import_re.sub('', old)
++                    new = _replace_css_import('', new)
+                     if self._has_sneaky_javascript(new):
+                         # Something tricky is going on...
+                         el.text = '/* deleted */'
+@@ -509,6 +512,12 @@ class Cleaner(object):
+             return True
+         if 'expression(' in style:
+             return True
++        if '</noscript' in style:
++            # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
++            return True
++        if _looks_like_tag_content(style):
++            # e.g. '<math><style><img src=x onerror=alert(1)></style></math>'
++            return True
+         return False
+ 
+     def clean_html(self, html):
+diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
+index a193d99..ea7487c 100644
+--- a/src/lxml/html/tests/test_clean.py
++++ b/src/lxml/html/tests/test_clean.py
+@@ -69,6 +69,27 @@ class CleanerTest(unittest.TestCase):
+         self.assertEqual('child', clean_html(s).text_content())
+ 
+ 
++    def test_sneaky_noscript_in_style(self):
++        # This gets parsed as <noscript> -> <style>"...</noscript>..."</style>
++        # thus passing the </noscript> through into the output.
++        html = '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
++        s = lxml.html.fragment_fromstring(html)
++
++        self.assertEqual(
++            b'<noscript><style>/* deleted */</style></noscript>',
++            lxml.html.tostring(clean_html(s)))
++
++    def test_sneaky_js_in_math_style(self):
++        # This gets parsed as <math> -> <style>"..."</style>
++        # thus passing any tag/script/whatever content through into the output.
++        html = '<math><style><img src=x onerror=alert(1)></style></math>'
++        s = lxml.html.fragment_fromstring(html)
++
++        self.assertEqual(
++            b'<math><style>/* deleted */</style></math>',
++            lxml.html.tostring(clean_html(s)))
++
++
+ def test_suite():
+     suite = unittest.TestSuite()
+     suite.addTests([make_doctest('test_clean.txt')])
+diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt
+index 2824f64..7df1f1d 100644
+--- a/src/lxml/html/tests/test_clean.txt
++++ b/src/lxml/html/tests/test_clean.txt
+@@ -104,7 +104,11 @@
+ >>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc))
+ <html>
+   <head>
+-    <style>/* deleted */</style>
++    <style>
++      body {background-image: url()};
++      div {background-image: url()};
++      div {color: };
++    </style>
+   </head>
+   <body>
+     <a href="">a link</a>
+@@ -168,7 +172,11 @@
+     <link rel="alternate" type="text/rss" src="evil-rss">
+     <link rel="alternate" type="text/rss" href="http://example.com">
+     <link rel="stylesheet" type="text/rss" href="http://example.com">
+-    <style>/* deleted */</style>
++    <style>
++      body {background-image: url()};
++      div {background-image: url()};
++      div {color: };
++    </style>
+   </head>
+   <body>
+     <a href="">a link</a>
+-- 
+2.28.0
+
diff --git a/SOURCES/CVE-2021-28957.patch b/SOURCES/CVE-2021-28957.patch
new file mode 100644
index 0000000..0368606
--- /dev/null
+++ b/SOURCES/CVE-2021-28957.patch
@@ -0,0 +1,39 @@
+diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
+index caf6b21..ea3c016 100644
+--- a/src/lxml/html/defs.py
++++ b/src/lxml/html/defs.py
+@@ -21,6 +21,8 @@ link_attrs = frozenset([
+     'usemap',
+     # Not standard:
+     'dynsrc', 'lowsrc',
++    # HTML5 formaction
++    'formaction'
+     ])
+ 
+ # Not in the HTML 4 spec:
+diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
+index 451eec2..e40cdad 100644
+--- a/src/lxml/html/tests/test_clean.py
++++ b/src/lxml/html/tests/test_clean.py
+@@ -89,6 +89,21 @@ class CleanerTest(unittest.TestCase):
+             b'<math><style>/* deleted */</style></math>',
+             lxml.html.tostring(clean_html(s)))
+ 
++    def test_formaction_attribute_in_button_input(self):
++        # The formaction attribute overrides the form's action and should be
++        # treated as a malicious link attribute
++        html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
++        '<button form="test" formaction="javascript:alert(1)">X</button>')
++        expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
++        '<button form="test" formaction="">X</button></div>')
++        cleaner = Cleaner(
++            forms=False,
++            safe_attrs_only=False,
++        )
++        self.assertEqual(
++            expected,
++            cleaner.clean_html(html))
++
+ 
+ def test_suite():
+     suite = unittest.TestSuite()
diff --git a/SPECS/python-lxml.spec b/SPECS/python-lxml.spec
index d0b0842..5bb9083 100644
--- a/SPECS/python-lxml.spec
+++ b/SPECS/python-lxml.spec
@@ -9,15 +9,28 @@
 
 Name:           %{?scl_prefix}python-%{modname}
 Version:        4.4.1
-Release:        5%{?dist}
+Release:        7%{?dist}
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API
 
 License:        BSD
 URL:            https://github.com/lxml/lxml
 Source0:        https://lxml.de/files/%{modname}-%{version}.tgz
 
+# Fix for CVE-2020-27783: mXSS due to the use of improper parser
+# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1901633
+# Two upstream commits combined:
+#   Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
+#   Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
+Patch0:         CVE-2020-27783.patch
+
+# Fix for CVE-2021-28957: missing input sanitization
+# for formaction HTML5 attributes which may lead to XSS
+# Fixed upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
+Patch1: CVE-2021-28957.patch
+
 %{?scl:Requires: %{scl}-runtime}
 %{?scl:BuildRequires: %{scl}-runtime}
+
 BuildRequires:  gcc
 BuildRequires:  libxml2-devel
 BuildRequires:  libxslt-devel
@@ -40,7 +53,7 @@ home page < or see our bug tracker at case you want to use the current ...
 %prep
 %{?scl:scl enable %{scl} - << \EOF}
 set -ex
-%autosetup -n %{modname}-%{version}
+%autosetup -n %{modname}-%{version} -p1
 # Remove pregenerated Cython C sources
 find -type f -name '*.c' -print -delete
 %{?scl:EOF}
@@ -75,6 +88,14 @@ set -ex
 
 
 %changelog
+* Mon Jul 19 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.4.1-7
+- Security fix for CVE-2021-28957
+Resolves: rhbz#1941534
+
+* Fri Jun 11 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.4.1-6
+- Security fix for CVE-2020-27783: mXSS due to the use of improper parser
+Resolves: rhbz#1901633
+
 * Wed Feb 05 2020 Lumír Balhar <lbalhar@redhat.com> - 4.4.1-5
 - Import from the python38 module and modified for rh-python38 RHSCL
 Resolves: rhbz#1671025