CVE-2016-9909

Name: CVE-2016-9909
Creator: NVD / NIST
Published: 2017-02-22T16:59:00.38+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 2.14%

Last modified Jun 17, 2026

CVE-2016-9909 is a vulnerability of currently unknown severity. The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of the < (less than) character in attribute values.. EPSS estimates a 2.14% chance of exploitation in the next 30 days.

Description

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of the < (less than) character in attribute values.

Metrics

EPSS Probability

2.14%

79.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions	Update
Html5lib	Html5lib	<= 0.99999999	1.0b8

References

http://www.openwall.com/lists/oss-security/2016/12/06/5Mailing List, Patch, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/12/08/8Mailing List, Patch, Third Party Advisory
http://www.securityfocus.com/bid/95132Third Party Advisory, VDB Entry
https://github.com/html5lib/html5lib-python/commit/9b8d8eb5afbc066b7fac9390f5ec75e5e8a7cab7Patch
https://github.com/html5lib/html5lib-python/issues/11Vendor Advisory
https://github.com/html5lib/html5lib-python/issues/12Vendor Advisory
https://html5lib.readthedocs.io/en/latest/changes.html#b9Release Notes
http://www.openwall.com/lists/oss-security/2016/12/06/5Mailing List, Patch, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/12/08/8Mailing List, Patch, Third Party Advisory
http://www.securityfocus.com/bid/95132Third Party Advisory, VDB Entry
https://github.com/html5lib/html5lib-python/commit/9b8d8eb5afbc066b7fac9390f5ec75e5e8a7cab7Patch
https://github.com/html5lib/html5lib-python/issues/11Vendor Advisory
https://github.com/html5lib/html5lib-python/issues/12Vendor Advisory
https://html5lib.readthedocs.io/en/latest/changes.html#b9Release Notes

Timeline

Published: Feb 22, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2016-9909?

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of the < (less than) character in attribute values.

How severe is CVE-2016-9909?

Severity scoring for CVE-2016-9909 is pending analysis. The EPSS model estimates a 2.14% probability of exploitation in the next 30 days.

How do I fix CVE-2016-9909?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-9909?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST