PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-9909 Html5lib CVE debrief

CVE-2016-9909 is a cross-site scripting issue in html5lib’s serializer. Versions before 0.99999999 may mishandle the '<' character inside attribute values, which can lead to attacker-controlled script execution in a browser context when serialized output is rendered as HTML. NVD rates the issue CVSS 3.0 6.1 (Medium), with network attack vector, no privileges required, and user interaction required.

Vendor
Html5lib
Product
CVE-2016-9909
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-22
Original CVE updated
2026-05-13
Advisory published
2017-02-22
Advisory updated
2026-05-13

Who should care

Security teams and developers who use html5lib before 0.99999999, especially in applications that serialize untrusted or user-influenced HTML and then serve or render that output in a browser. Web application owners should care most if html5lib output is part of a content-sanitization or HTML-generation workflow.

Technical summary

NVD maps the issue to CWE-79 and the vulnerable range ends at 0.99999999. The published description attributes the flaw to serializer mishandling of '<' in attribute values, creating an XSS condition. The CVSS vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a remotely reachable issue that depends on user interaction and can impact confidentiality and integrity in the browser security context.

Defensive priority

Medium. This is a real web-facing XSS flaw, but it requires user interaction and is version-bounded. Remediate promptly if html5lib is present in exposed HTML serialization paths, but it is not indicated as a known mass-exploitation or KEV-listed issue in the supplied corpus.

Recommended defensive actions

  • Upgrade html5lib to 0.99999999 or later as indicated by the NVD vulnerable range.
  • Review any code paths that serialize attacker-influenced HTML or attributes and ensure the output is not rendered unsafely in browsers.
  • Treat any serialized HTML produced by affected versions as potentially unsafe until the library is updated and the affected workflow is validated.
  • Use the vendor patch and release notes to confirm the fix was applied in your dependency chain.
  • If immediate upgrade is not possible, reduce exposure by avoiding browser rendering of affected serialized output and by limiting untrusted input into serialization flows.

Evidence notes

The supplied NVD record lists html5lib as the affected product, with a vulnerable version range ending at 0.99999999. The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and the weakness is CWE-79. The description states the serializer may mishandle '<' in attribute values, enabling XSS. NVD references include vendor issues, a patch commit, and release notes. The CVE was published on 2017-02-22 and the record was later modified on 2026-05-13.

Official resources

Publicly disclosed in the NVD/CVE record on 2017-02-22, with supporting vendor advisories and a patch referenced in December 2016.