diff --git a/backport-CVE-2021-28957.patch b/backport-CVE-2021-28957.patch
new file mode 100644
index 0000000000000000000000000000000000000000..de583e45171517623ab437a4267b20d427ab50b4
--- /dev/null
+++ b/backport-CVE-2021-28957.patch
@@ -0,0 +1,52 @@
+From 2d01a1ba8984e0483ce6619b972832377f208a0d Mon Sep 17 00:00:00 2001
+From: Kevin Chung <kchung@nyu.edu>
+Date: Sun, 21 Mar 2021 10:03:09 -0400
+Subject: [PATCH] Add HTML-5 "formaction" attribute to "defs.link_attrs"
+ (GH-316)
+
+Resolves https://bugs.launchpad.net/lxml/+bug/1888153
+See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
+---
+ src/lxml/html/defs.py             |  2 ++
+ src/lxml/html/tests/test_clean.py | 15 +++++++++++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
+index 1b3a75b36..2058ea330 100644
+--- a/src/lxml/html/defs.py
++++ b/src/lxml/html/defs.py
+@@ -23,6 +23,8 @@
+     'usemap',
+     # Not standard:
+     'dynsrc', 'lowsrc',
++    # HTML5 formaction
++    'formaction'
+     ])
+ 
+ # Not in the HTML 4 spec:
+diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
+index 0e669f98d..45c2e83ab 100644
+--- a/src/lxml/html/tests/test_clean.py
++++ b/src/lxml/html/tests/test_clean.py
+@@ -123,6 +123,21 @@ def test_sneaky_js_in_math_style(self):
+             b'<math><style>/* deleted */</style></math>',
+             lxml.html.tostring(clean_html(s)))
+ 
++    def test_formaction_attribute_in_button_input(self):
++        # The formaction attribute overrides the form's action and should be
++        # treated as a malicious link attribute
++        html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
++        '<button form="test" formaction="javascript:alert(1)">X</button>')
++        expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
++        '<button form="test" formaction="">X</button></div>')
++        cleaner = Cleaner(
++            forms=False,
++            safe_attrs_only=False,
++        )
++        self.assertEqual(
++            expected,
++            cleaner.clean_html(html))
++
+ 
+ def test_suite():
+     suite = unittest.TestSuite()
diff --git a/python-lxml.spec b/python-lxml.spec
index cedcb0330c37bbf3b515ed0d513568ce2fc4b819..47576f7822b3d7e48cce959e73f6c9ea6a8833e7 100644
--- a/python-lxml.spec
+++ b/python-lxml.spec
@@ -7,12 +7,14 @@ The latest release works with all CPython versions from 2.7 to 3.7.
 
 Name:           python-%{modname}
 Version:        4.6.2
-Release:        1
+Release:        2
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API
 License:        BSD
 URL:            https://files.pythonhosted.org
 Source0:        https://files.pythonhosted.org/packages/db/f7/43fecb94d66959c1e23aa53d6161231dca0e93ec500224cf31b3c4073e37/lxml-4.6.2.tar.gz
 
+Patch6000:      backport-CVE-2021-28957.patch
+
 BuildRequires:  gcc libxml2-devel libxslt-devel
 
 %description %{_description}
@@ -28,7 +30,7 @@ BuildRequires:  python3-devel python3-setuptools python3-Cython
 %package_help
 
 %prep
-%autosetup -n %{modname}-%{version}
+%autosetup -n %{modname}-%{version} -p1
 
 %build
 export WITH_CYTHON=true
@@ -50,6 +52,9 @@ export WITH_CYTHON=true
 %doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
 
 %changelog 
+* Wed Apr 14 2021 shixuantong<shixuantong@huawei.com> - 4.6.2-2
+- fix CVE-2021-28957
+
 * Mon Feb 1 2021 wangjie<wangjie294@huawei.com> - 4.6.2-1
 - upgrade  4.6.2-1