Lucene search
K

1046 matches found

OSV
OSV
added 2026/05/07 3:16 p.m.14 views

UBUNTU-CVE-2026-41650

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "--" sequence in comment content or the "" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection...

6.1CVSS5.7AI score0.00238EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/05/07 1:36 p.m.44 views

CVE-2026-41650 fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "--" sequence in comment content or the "" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection...

6.1CVSS0.00238EPSS
Exploits1References2
Debian CVE
Debian CVE
added 2026/05/07 1:36 p.m.8 views

CVE-2026-41650

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "--" sequence in comment content or the "" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection...

6.1CVSS5.7AI score0.00238EPSS
Exploits1
ATTACKERKB
ATTACKERKB
added 2026/05/07 1:36 p.m.8 views

CVE-2026-41650

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "--" sequence in comment content or the "" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection...

6.1CVSS5.7AI score0.00238EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/05/07 1:36 p.m.68 views

CVE-2026-41650

CVE-2026-41650 affects fast-xml-parser XMLBuilder prior to v5.7.0, where unescaped "-->" in comments and "]]>" in CDATA can lead to XML injection when user-controlled data is built into XML from JavaScript objects. This can enable XSS, SOAP injection, or data manipulation as described in th...

6.1CVSS5.7AI score0.00238EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/05/07 3:49 a.m.74 views

CVE-2026-41675 xmldom: XML node injection through unvalidated processing instruction serialization

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without...

8.7CVSS0.00408EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/07 3:49 a.m.8 views

CVE-2026-41675 xmldom: XML node injection through unvalidated processing instruction serialization

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without...

8.7CVSS5.8AI score0.00408EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/07 3:49 a.m.13 views

EUVD-2026-28290

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without...

8.7CVSS5.8AI score0.00408EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/07 3:49 a.m.7 views

CVE-2026-41675

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without...

8.7CVSS5.8AI score0.00408EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2026/05/07 3:47 a.m.48 views

CVE-2026-41674

CVE-2026-41674 affects the xmldom/xmldom package. Before version 0.9.10 and 0.8.13 (and for the 0.6.0 line), DocumentType node fields internalSubset, publicId, and systemId are serialized verbatim by XMLSerializer without escaping or validation. If attackers set these fields to malicious strings,...

8.7CVSS5.9AI score0.00457EPSS
Exploits0References11
EUVD
EUVD
added 2026/05/07 3:36 a.m.13 views

EUVD-2026-28285

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or...

8.7CVSS5.8AI score0.00365EPSS
Exploits0References6
CVE
CVE
added 2026/05/07 3:36 a.m.102 views

CVE-2026-41672

CVE-2026-41672 affects xmldom/xmldom: attacker-controlled comment content can be serialized into XML, enabling injection of arbitrary nodes by breaking out of XML comments. The vulnerability exists in versions prior to 0.9.10 and 0.8.13 (and 0.6.0 and earlier) and is mitigated in 0.9.10 and 0.8.1...

8.7CVSS5.8AI score0.00365EPSS
Exploits0References10
CNNVD
CNNVD
added 2026/05/07 12:0 a.m.11 views

XMLDOM 安全漏洞

XMLDOM is a JavaScript implementation of the W3C DOM for Node developed by jindw. Versions of XMLDOM prior to 0.9.10, 0.8.13, and xmldom 0.6.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the lack of validation or neutralization when serializing comment...

8.7CVSS5.9AI score0.00365EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/07 12:0 a.m.16 views

Linux Distros Unpatched Vulnerability : CVE-2026-41672

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 an...

8.7CVSS5.5AI score0.00365EPSS
Exploits0References3
UbuntuCve
UbuntuCve
added 2026/05/07 12:0 a.m.10 views

CVE-2026-41675

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without...

8.7CVSS5.7AI score0.00408EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/06 2:21 p.m.8 views

CVE-2026-27693

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

5.4CVSS5.8AI score0.00183EPSS
Exploits1References1
Snyk
Snyk
added 2026/05/05 3:34 p.m.10 views

XML Injection

Overview Affected versions of this package are vulnerable to XML Injection in the KML and GPX export functionality. An attacker can corrupt the file structure and spoof exported location data by creating a device with a crafted name that injects XML content into the exported files. Remediation...

5.4CVSS5.8AI score0.00183EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/05 12:17 p.m.7 views

CVE-2026-27693 traccar allows XML injection in KML and GPX exports

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

5.4CVSS5.8AI score0.00183EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/05/05 12:17 p.m.39 views

CVE-2026-27693 traccar allows XML injection in KML and GPX exports

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

5.4CVSS0.00183EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/05/05 12:17 p.m.5 views

CVE-2026-27693

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

5.4CVSS5.8AI score0.00183EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder