CVE-2026-26278

High CVSS: 7.5

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.

Vendor

Naturalintelligence

Product

Fast-xml-parser

CWE

CWE-776

Yayın Tarihi

2026-02-19 20:25:43

Güncelleme

2026-02-23 19:30:26

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-776 Fast-xml-parser HIGH Naturalintelligence 2026

Referanslar

https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77 https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6 https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj

Benzer Kayıtlar

Medium

CVE-2026-33349

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.…

High

CVE-2026-33036

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-be…

Low

CVE-2026-27942

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based li…

Critical

CVE-2026-25896

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based li…

High

CVE-2026-25128

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based li…