CVE-2016-9910 is a cross-site scripting (XSS) issue in the html5lib serializer. According to NVD, special characters in attribute values could be mishandled during serialization, allowing attacker-controlled content to be emitted in a way that could execute in a browser context. The CVE was published on 2017-02-22; the much later 2026-05-13 record modification is metadata maintenance, not a new issue date [truncated]
CVE-2016-9909 is a cross-site scripting issue in html5lib’s serializer. Versions before 0.99999999 may mishandle the '<' character inside attribute values, which can lead to attacker-controlled script execution in a browser context when serialized output is rendered as HTML. NVD rates the issue CVSS 3.0 6.1 (Medium), with network attack vector, no privileges required, and user interaction required.
