9 matches found
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
Summary The fix for CVE-2026-26278 added entity expansion limits maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. Numeric character references &NNN; and &xH...
XML Entity Expansion
Overview org.webjars.npm:fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to XML Entity Expansion in the replaceEntitiesValue function, which doesn't protect unlimited expansion of numeric entities the way it do...
XML Entity Expansion
Overview fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to XML Entity Expansion in the replaceEntitiesValue function, which doesn't protect unlimited expansion of numeric entities the way it does DOCTYPE data ...
GHSA-8GC5-J5RX-235R fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
Summary The fix for CVE-2026-26278 added entity expansion limits maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. Numeric character references &NNN; and &xH...
CVE-2026-26278 vulnerabilities
Vulnerabilities for packages: tileserver-gl, jitsucom-jitsu, renovate, saf, prism, kubeflow-pipelines...
CVE-2026-26278 vulnerabilities
Vulnerabilities for packages: tileserver-gl-fips, renovate, kubeflow-pipelines, dbgate, langfuse, prism, dbgate-fips, langfuse-fips, tileserver-gl, librechat, kibana, saf, jitsucom-jitsu...
@activepieces/piece-amazon-s3 (>=0.5.4 <=0.5.9), @activepieces/piece-amazon-ses (>=0.0.1 <=0.1.3) +1095 more potentially affected by CVE-2026-26278 via fast-xml-parser (>=5.0.1 <=5.3.5)
fast-xml-parser NPM version =5.0.1, =0.5.4, =0.0.1, =13.1.4, =1.0.0, =1.9.12, =1.0.3, =1.1.31, =1.0.0, =1.7.16, =2.33.6, =1.4.37, =1.6.11, =1.7.1 and more Source cves: CVE-2026-26278 Source advisory: OSV:GHSA-JMR7-XGP7-CMFJ...
@activepieces/piece-amazon-s3 (>=0.5.4 <=0.5.9), @activepieces/piece-amazon-ses (>=0.0.1 <=0.1.3) +1095 more potentially affected by CVE-2026-26278 via fast-xml-parser (>=5.0.1 <=5.3.5)
fast-xml-parser NPM version =5.0.1, =0.5.4, =0.0.1, =13.1.4, =1.0.0, =1.9.12, =1.0.3, =1.1.31, =1.0.0, =1.7.16, =2.33.6, =1.4.37, =1.6.11, =1.7.1 and more Source cves: CVE-2026-26278 Source advisory: SNYK:JS-FASTXMLPARSER-15307668...
CVE-2026-26278
creationtimestamp| type| source ---|---|--- 2026-02-14 06:07:36+00:00| published-proof-of-concept| https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj 2026-02-19 21:01:23+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mfaihpafsp2n...