PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-9910 Html5lib CVE debrief

CVE-2016-9910 is a cross-site scripting (XSS) issue in the html5lib serializer. According to NVD, special characters in attribute values could be mishandled during serialization, allowing attacker-controlled content to be emitted in a way that could execute in a browser context. The CVE was published on 2017-02-22; the much later 2026-05-13 record modification is metadata maintenance, not a new issue date. No CISA KEV listing is associated with this CVE in the supplied corpus.

Vendor
Html5lib
Product
CVE-2016-9910
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-22
Original CVE updated
2026-05-13
Advisory published
2017-02-22
Advisory updated
2026-05-13

Who should care

Teams that use html5lib to serialize or sanitize HTML, especially web applications that pass attacker-influenced attribute values through the serializer before rendering or storing output. Dependency managers should also check for transitive use of html5lib in Python web stacks.

Technical summary

NVD maps the weakness to CWE-79 and assigns CVSS 3.0 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). The issue is in the serializer path, where mishandling of special characters in attribute values can cause browser-side script execution. The supplied NVD data lists vulnerable html5lib versions through 0.99999999, while the written description says the issue affects versions before 0.99999999; treat the exact fixed boundary carefully and validate against the vendor release notes and patch references.

Defensive priority

Medium

Recommended defensive actions

  • Upgrade html5lib to the vendor-fixed release referenced in the advisory/release notes before deploying untrusted HTML serialization paths.
  • Audit applications for any use of html5lib serializer output that reaches browsers, templates, stored HTML, or rich-text pipelines.
  • Treat all attribute values as untrusted input unless they are explicitly escaped and validated by a trusted layer.
  • Review transitive Python dependencies to find bundled or indirect html5lib usage.
  • Use browser-side and server-side tests to confirm that serialized output preserves correct escaping for special characters in attribute values.

Evidence notes

Primary evidence comes from the NVD CVE record and the CVE.org record. Vendor/security references include two OSS-security mailing list posts, two GitHub vendor advisory issues, a patch commit, and html5lib release notes. The corpus indicates CWE-79 and provides a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The source corpus does not include a KEV entry or ransomware association. There is a minor boundary inconsistency in the supplied data: the prose description says 'before 0.99999999,' while the CPE range marks versions through 0.99999999 as vulnerable.

Official resources

Publicly disclosed and published in the CVE record on 2017-02-22. The supplied corpus shows later record maintenance on 2026-05-13, which should not be treated as the disclosure date.