CVE-2018-17846 (fedora, net)

The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.

CVE-2020-13761

In Joomla! before 3.9.19, lack of input validation in the heading tag option of the “Articles – Newsflash” and “Articles – Categories” modules allows XSS.