Lucene search
K

9 matches found

Github Security Blog
Github Security Blog
added 2026/03/17 7:45 p.m.14 views

fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)

Summary The fix for CVE-2026-26278 added entity expansion limits maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. Numeric character references &NNN; and &xH...

7.5CVSS6AI score0.00811EPSS
Exploits2References6Affected Software1
Snyk
Snyk
added 2026/03/17 7:45 p.m.7 views

XML Entity Expansion

Overview org.webjars.npm:fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to XML Entity Expansion in the replaceEntitiesValue function, which doesn't protect unlimited expansion of numeric entities the way it do...

8.7CVSS5.9AI score0.00811EPSS
Exploits2References2
Snyk
Snyk
added 2026/03/17 7:45 p.m.4 views

XML Entity Expansion

Overview fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to XML Entity Expansion in the replaceEntitiesValue function, which doesn't protect unlimited expansion of numeric entities the way it does DOCTYPE data ...

8.7CVSS5.9AI score0.00811EPSS
Exploits2References2
OSV
OSV
added 2026/03/17 7:45 p.m.3 views

GHSA-8GC5-J5RX-235R fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)

Summary The fix for CVE-2026-26278 added entity expansion limits maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. Numeric character references &NNN; and &xH...

7.5CVSS6AI score0.00576EPSS
Exploits1References6
Wolfi
Wolfi
added 2026/02/19 1:49 p.m.6 views

CVE-2026-26278 vulnerabilities

Vulnerabilities for packages: tileserver-gl, jitsucom-jitsu, renovate, saf, prism, kubeflow-pipelines...

7.5CVSS5.9AI score0.00811EPSS
Exploits1
Chainguard
Chainguard
added 2026/02/19 1:17 p.m.8 views

CVE-2026-26278 vulnerabilities

Vulnerabilities for packages: tileserver-gl-fips, renovate, kubeflow-pipelines, dbgate, langfuse, prism, dbgate-fips, langfuse-fips, tileserver-gl, librechat, kibana, saf, jitsucom-jitsu...

7.5CVSS5.9AI score0.00811EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/02/17 9:30 p.m.6 views

@activepieces/piece-amazon-s3 (>=0.5.4 <=0.5.9), @activepieces/piece-amazon-ses (>=0.0.1 <=0.1.3) +1095 more potentially affected by CVE-2026-26278 via fast-xml-parser (>=5.0.1 <=5.3.5)

fast-xml-parser NPM version =5.0.1, =0.5.4, =0.0.1, =13.1.4, =1.0.0, =1.9.12, =1.0.3, =1.1.31, =1.0.0, =1.7.16, =2.33.6, =1.4.37, =1.6.11, =1.7.1 and more Source cves: CVE-2026-26278 Source advisory: OSV:GHSA-JMR7-XGP7-CMFJ...

7.5CVSS5.7AI score0.00811EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/02/17 9:30 p.m.8 views

@activepieces/piece-amazon-s3 (>=0.5.4 <=0.5.9), @activepieces/piece-amazon-ses (>=0.0.1 <=0.1.3) +1095 more potentially affected by CVE-2026-26278 via fast-xml-parser (>=5.0.1 <=5.3.5)

fast-xml-parser NPM version =5.0.1, =0.5.4, =0.0.1, =13.1.4, =1.0.0, =1.9.12, =1.0.3, =1.1.31, =1.0.0, =1.7.16, =2.33.6, =1.4.37, =1.6.11, =1.7.1 and more Source cves: CVE-2026-26278 Source advisory: SNYK:JS-FASTXMLPARSER-15307668...

7.5CVSS5.7AI score0.00811EPSS
Exploits1
Circl
Circl
added 2026/02/14 6:7 a.m.8 views

CVE-2026-26278

creationtimestamp| type| source ---|---|--- 2026-02-14 06:07:36+00:00| published-proof-of-concept| https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj 2026-02-19 21:01:23+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mfaihpafsp2n...

7.5CVSS7.1AI score0.00811EPSS
Exploits1References7
Rows per page
Query Builder