6.1

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2016-9909

GHSA ID

GHSA-v9v9-xffq-rwr4

EPSS Score

0.68165%

CWE

CWE-79

Published

5/17/2022

Updated

9/20/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-9909

CVE-2016-9909: Improper Neutralization of Input During Web Page Generation in html5lib

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of the < (less than) character in attribute values.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2016-9909

CVE-2016-9909:

6.1

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2016-9909

GHSA ID

GHSA-v9v9-xffq-rwr4

EPSS Score

0.68165%

CWE

CWE-79

Published

5/17/2022

Updated

9/20/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
html5lib	pip	< 0.999999999	0.999999999

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the attribute quoting logic in the HTMLSerializer. The commit 9b8d8eb shows:

The 'quote_attr_values' option was changed from a boolean to a ternary setting ('legacy', 'spec', 'always'), with 'legacy' as the new secure default.
The critical code in 'serialize()' previously used a minimal regex (quoteAttributeSpec) to decide when to quote attributes. This regex did not account for legacy browser quirks like interpreting '<' in unquoted attributes as tag starts.
The patched version introduced 'quoteAttributeLegacy' (a broader regex) and modified the logic to use it when 'quote_attr_values=legacy', ensuring proper escaping of '<' and other problematic characters. The vulnerable code path existed when using the old default 'quote_attr_values=False' (equivalent to 'spec' mode post-patch), which insufficiently handled dangerous characters in attribute values.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2016-9909: Improper Neutralization of Input During Web Page Generation in html5lib

CVE-2016-9909:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2016-9909: Improper Neutralization of Input During Web Page Generation in html5lib

6.1

6.1

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI