Aggregates CVE and security vulnerability intelligence across all htacg-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk buffer overflow, vendor risk memory corruption, and vendor risk input validation; exposure may include vendor impact application crash in vendor surface software deployment contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-6498 | A vulnerability classified as problematic has been found in HTACG tidy-html5 5.8.0. Affected is the function defaultAlloc of the file src/alloc.c. The manipulation leads to memory leak. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. | [email protected] | 1.9 | 0.19% | 2025-06-23 | 2026-04-29 |
| CVE-2021-33391 | An issue in HTACG HTML Tidy v5.7.28 allows attacker to execute arbitrary code via the -g option of the CleanNode() function in gdoc.c. | [email protected] | 9.8 | 1.13% | 2023-02-17 | 2025-03-18 |
| CVE-2017-17497 | In Tidy 5.7.0, the prvTidyTidyMetaCharset function in clean.c allows attackers to cause a denial of service (Segmentation Fault), because the currentNode variable in the "children of the head" processing feature is modified in the loop without validating the new value. | [email protected] | 7.5 | 1.38% | 2017-12-10 | 2026-05-13 |
| CVE-2017-13692 | In Tidy 5.5.31, the IsURLCodePoint function in attrs.c allows attackers to cause a denial of service (Segmentation Fault), as demonstrated by an invalid ISALNUM argument. | [email protected] | 7.5 | 1.15% | 2017-08-25 | 2026-05-13 |
| CVE-2015-5523 | The ParseValue function in lexer.c in tidy before 4.9.31 allows remote attackers to cause a denial of service (crash) via vectors involving multiple whitespace characters before an empty href, which triggers a large memory allocation. | [email protected] | 4.3 | 3.84% | 2015-08-11 | 2026-05-06 |
| CVE-2015-5522 | Heap-based buffer overflow in the ParseValue function in lexer.c in tidy before 4.9.31 allows remote attackers to cause a denial of service (crash) via vectors involving a command character in an href. | [email protected] | 6.8 | 4.66% | 2015-08-11 | 2026-05-06 |