Astro: XSS in define:vars via incomplete </script> tag sanitization

Summary The defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace or / before the closing , allowing ...

PT-2026-34233

Summary The defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace or / before the closing , allowing ...

CLEANSTART-2026-PY85990 tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing

Security vulnerability affects the prometheus package. The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing...

Security Bulletin: A vulnerability in Go affects IBM Robotic Process Automation for Cloud Pak and may result in tags incorrectly marked as self-closing (CVE-2025-22872).

Summary A vulnerability in Go affects IBM Robotic Process Automation for Cloud Pak and may result in tags incorrectly marked as self-closing. Go is used by IBM Robotic Process Automation for Cloud Pak as part of its deployment. This bulletin identifies the fixes required to resolve the...

Security Bulletin: Incorrect Handling of Unquoted Attributes Ending with Slash in Tokenizer Causes Misparsed Self-Closing Tags in Foreign Content affects watsonx.data

Summary The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in conten...

Important: runfinch-finch

Issue Overview: The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permi...

SUSE CVE-2025-22872

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...

CVE-2025-22872

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...

AZL-60565 CVE-2025-22872 affecting package helm for versions less than 3.14.2-6

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...

AZL-60542 CVE-2025-22872 affecting package gh for versions less than 2.62.0-8

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...

AZL-60459 CVE-2025-22872 affecting package cri-tools for versions less than 1.32.0-2

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...

AZL-60588 CVE-2025-22872 affecting package telegraf for versions less than 1.29.4-16

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...

AZL-60492 CVE-2025-22872 affecting package ig for versions less than 0.37.0-4

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...

AZL-60557 CVE-2025-22872 affecting package docker-compose for versions less than 2.27.0-5

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...

AZL-61812 CVE-2025-22872 affecting package cri-o 1.30.1-1

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...

AZL-65667 CVE-2025-22872 affecting package nvidia-container-toolkit for versions less than 1.17.8-2

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...

AZL-60474 CVE-2025-22872 affecting package multus for versions less than 4.0.2-5

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...

AZL-60601 CVE-2025-22872 affecting package sriov-network-device-plugin for versions less than 3.6.2-9

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...

CVE-2025-22872

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...

AZL-60586 CVE-2025-22872 affecting package cri-tools for versions less than 1.29.0-8

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...