Lucene search
K

182 matches found

SUSE CVE
SUSE CVE
added 2026/02/21 12:24 a.m.5 views

SUSE CVE-2026-26278

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it's possible ...

7.5CVSS5.8AI score0.00811EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 2026/02/21 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2023-26920

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - fast-xml-parser before 4.1.2 allows proto for Prototype Pollution. CVE-2023-26920 Note that Nessus relies on the presence of the package as reported by the...

6.5CVSS6.8AI score0.01152EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 2026/02/21 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2026-25896

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to...

9.3CVSS5.9AI score0.00445EPSS
Exploits1References3
OSV
OSV
added 2026/02/20 9:19 p.m.4 views

DEBIAN-CVE-2026-25896

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

9.3CVSS7.3AI score0.00445EPSS
Exploits1References1
NVD
NVD
added 2026/02/20 9:19 p.m.11 views

CVE-2026-25896

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

9.3CVSS0.00445EPSS
Exploits1References11
UbuntuCve
UbuntuCve
added 2026/02/20 9:19 p.m.5 views

CVE-2026-25896

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

9.3CVSS5.8AI score0.00445EPSS
Exploits1References5
OSV
OSV
added 2026/02/20 9:19 p.m.2 views

UBUNTU-CVE-2026-25896

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

9.3CVSS5.9AI score0.00445EPSS
Exploits1References6
CVE
CVE
added 2026/02/20 8:57 p.m.78 views

CVE-2026-25896

CVE-2026-25896 affects the Node.js XML parser fast-xml-parser. From 4.1.3 up to (but not including) 5.3.5, a dot in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing shadowing of built-in entities and bypassing encoding, which can lead to XSS when parsed out...

9.3CVSS5.7AI score0.00445EPSS
Exploits1References11Affected Software1
Cvelist
Cvelist
added 2026/02/20 8:57 p.m.24 views

CVE-2026-25896 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

9.3CVSS0.00445EPSS
Exploits1References4
OSV
OSV
added 2026/02/20 8:57 p.m.4 views

CVE-2026-25896 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

9.3CVSS5.7AI score0.00445EPSS
Exploits1References6
Snyk
Snyk
added 2026/02/20 6:23 p.m.3 views

Incorrect Regular Expression

Overview fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to Incorrect Regular Expression in the entity parsing RegEx in DOCTYPE declarations. An attacker can inject arbitrary values that override built-in XML...

9.3CVSS6AI score0.00445EPSS
Exploits1References2
vulnersOsv
vulnersOsv
added 2026/02/20 6:23 p.m.8 views

@activepieces/piece-amazon-s3 (>=0.5.4 <=0.5.9), @activepieces/piece-amazon-ses (>=0.0.1 <=0.1.3) +1093 more potentially affected by CVE-2026-25896 via fast-xml-parser (>=5.0.1 <=5.3.4)

fast-xml-parser NPM version =5.0.1, =0.5.4, =0.0.1, =13.1.4, =1.0.0, =1.9.12, =1.0.3, =1.1.31, =1.0.0, =1.7.16, =2.33.6, =1.4.37, =1.6.11, =1.7.1 and more Source cves: CVE-2026-25896 Source advisory: SNYK:JS-FASTXMLPARSER-15324289...

9.3CVSS5.7AI score0.00445EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/02/20 6:23 p.m.6 views

5-ifc-check-cli (=1.0.0), 7ghost (>=4.11.2 <=4.11.46) +3882 more potentially affected by CVE-2026-25896 via fast-xml-parser (>=4.1.3 <=4.5.3)

fast-xml-parser NPM version =4.1.3, =4.11.2, =0.1.1, =0.0.2, =1.0.1, =1.0.0, =0.0.1, =1.0.0, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2026-25896 Source advisory: SNYK:JS-FASTXMLPARSER-15324289...

9.3CVSS5.7AI score0.00445EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/02/20 6:23 p.m.8 views

5-ifc-check-cli (=1.0.0), 7ghost (>=4.11.2 <=4.11.46) +3882 more potentially affected by CVE-2026-25896 via fast-xml-parser (>=4.1.3 <=4.5.3)

fast-xml-parser NPM version =4.1.3, =4.11.2, =0.1.1, =0.0.2, =1.0.1, =1.0.0, =0.0.1, =1.0.0, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2026-25896 Source advisory: OSV:GHSA-M7JM-9GC2-MPF2...

9.3CVSS5.7AI score0.00445EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/02/20 6:23 p.m.8 views

@activepieces/piece-amazon-s3 (>=0.5.4 <=0.5.9), @activepieces/piece-amazon-ses (>=0.0.1 <=0.1.3) +1093 more potentially affected by CVE-2026-25896 via fast-xml-parser (>=5.0.1 <=5.3.4)

fast-xml-parser NPM version =5.0.1, =0.5.4, =0.0.1, =13.1.4, =1.0.0, =1.9.12, =1.0.3, =1.1.31, =1.0.0, =1.7.16, =2.33.6, =1.4.37, =1.6.11, =1.7.1 and more Source cves: CVE-2026-25896 Source advisory: OSV:GHSA-M7JM-9GC2-MPF2...

9.3CVSS5.7AI score0.00445EPSS
Exploits1
OSV
OSV
added 2026/02/20 6:23 p.m.8 views

GHSA-M7JM-9GC2-MPF2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

Entity encoding bypass via regex injection in DOCTYPE entity names Summary A dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities , , &, ", ' with arbitrary values. This bypasses entity encoding and leads to...

9.3CVSS7.1AI score0.00445EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/02/20 6:23 p.m.35 views

fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

Entity encoding bypass via regex injection in DOCTYPE entity names Summary A dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities , , &, ", ' with arbitrary values. This bypasses entity encoding and leads to...

9.3CVSS7.1AI score0.00445EPSS
Exploits1References6Affected Software1
CNNVD
CNNVD
added 2026/02/20 12:0 a.m.9 views

fast-xml-parser 安全漏洞

fast-xml-parser is an open-source library developed by Natural Intelligence. It is used for quickly validating, parsing, and processing XML files without relying on C/C++-based libraries or callbacks. There were security vulnerabilities in versions 4.1.3 to 5.3.5 of fast-xml-parser, where the dot...

9.3CVSS7AI score0.00445EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/02/20 12:0 a.m.4 views

PT-2026-21298

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions 4.1.3 through 5.3.5 Description fast-xml-parser has a flaw in how it handles DOCTYPE entity names during XML parsing. Specifically, a dot . within an entity name is treated as a regex wildcard during entity replacement...

9.3CVSS5.6AI score0.00445EPSS
Exploits1References157
NVD
NVD
added 2026/02/19 8:25 p.m.14 views

CVE-2026-26278

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible ...

7.5CVSS0.00811EPSS
Exploits1References10
Rows per page
Query Builder