Skip to main content

Html

5 CVEs product

Monthly

CVE-2025-15646 CRITICAL PATCH Act Now

HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion. Support for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses. Any caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected.

Memory Corruption Information Disclosure Html
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-8829 HIGH PATCH This Week

Heap information disclosure in HTML::Entities for Perl (versions before 3.84) allows remote attackers to leak adjacent heap memory contents when decoding entities. The XS routine _decode_entities retains a stale pointer into a hash value SV after grow_gap() reallocates the buffer, causing a use-after-free read that copies freed heap bytes into the output scalar. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the upstream fix is confirmed via GH PR #56.

Information Disclosure Use After Free Memory Corruption Html
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-58190 Go MEDIUM POC PATCH This Month

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. [CVSS 5.3 MEDIUM]

Golang Denial Of Service Html Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-47911 Go MEDIUM PATCH This Month

Html contains a vulnerability that allows attackers to denial of service (DoS) if an attacker provides specially crafted HTML content (CVSS 5.3).

Golang Denial Of Service Html Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2012-6142 HIGH This Week

Session::Cookie in the HTML::EP module 0.2011 for Perl does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via a crafted request, which is not. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Html
NVD
CVSS 2.0
7.5
EPSS
1.7%
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion. Support for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses. Any caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected.

Memory Corruption Information Disclosure Html
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Heap information disclosure in HTML::Entities for Perl (versions before 3.84) allows remote attackers to leak adjacent heap memory contents when decoding entities. The XS routine _decode_entities retains a stale pointer into a hash value SV after grow_gap() reallocates the buffer, causing a use-after-free read that copies freed heap bytes into the output scalar. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the upstream fix is confirmed via GH PR #56.

Information Disclosure Use After Free Memory Corruption +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. [CVSS 5.3 MEDIUM]

Golang Denial Of Service Html +2
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Html contains a vulnerability that allows attackers to denial of service (DoS) if an attacker provides specially crafted HTML content (CVSS 5.3).

Golang Denial Of Service Html +2
NVD GitHub VulDB
EPSS 2% CVSS 7.5
HIGH This Week

Session::Cookie in the HTML::EP module 0.2011 for Perl does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via a crafted request, which is not. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Html
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy