ROOT-APP-NPM-CVE-2026-44665 CVE-2026-44665 in @rootio/fast-xml-builder - Patched by Root

Root has patched CVE-2026-44665 in the @rootio/fast-xml-builder package for Root:npm. Multiple fixed versions available...

Security Bulletin: IBM Application Modernization Accelerator is affected by multiple vulnerabilities found in Node.js

Summary There are multiple vulnerabilities in Node.js used by IBM Application Modernization Accelerator. Vulnerability Details CVEID:CVE-2026-44664 DESCRIPTION: fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment...

CVE-2026-44664

A flaw was found in fast-xml-builder. The software, which builds XML from JSON, incorrectly sanitizes XML comment content. This allows a remote attacker to bypass the sanitization by using three consecutive dashes, enabling them to break out of an XML comment and inject arbitrary XML or HTML...

CVE-2026-44665

A flaw was found in fast-xml-builder, a software component used to create XML documents from JSON data. This vulnerability allows a remote attacker to inject unauthorized attributes into the generated XML or HTML output. By crafting malicious input that includes quotes in attribute values without...

CVE-2026-44665

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerabili...

CVE-2026-44664

fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace/--/g, '- -'. This skip the values containing three consecutive dashes e.g., ---..., allowing an attacker to break out of an XML comment and...

CVE-2026-44664 fast-xml-builder: Comment Value bypass regex

fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace/--/g, '- -'. This skip the values containing three consecutive dashes e.g., ---..., allowing an attacker to break out of an XML comment and...

CVE-2026-44664

fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace/--/g, '- -'. This skip the values containing three consecutive dashes e.g., ---..., allowing an attacker to break out of an XML comment and...

CVE-2026-44664

The CVE concerns fast-xml-builder, which converts JSON to XML. In version 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitized -- sequences in XML comments via .replace(/--/g, '- -'), allowing an attacker to break out of a comment and inject arbitrary XML/HTML. The issue is addressed in...

CVE-2026-44664 fast-xml-builder: Comment Value bypass regex

fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace/--/g, '- -'. This skip the values containing three consecutive dashes e.g., ---..., allowing an attacker to break out of an XML comment and...

CVE-2026-44665 fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerabili...

CVE-2026-44665

Summary of CVE-2026-44665 details (from provided sources): The vulnerability affects the fast-xml-builder library, where input data containing quotes in attribute values, if the processEntities flag is not enabled, can cause an attribute value to be split into multiple attributes. This enables an...

CVE-2026-44665 fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerabili...

@activepieces/piece-amazon-textract (>=0.2.0 <=0.3.0), @activepieces/piece-salesforce (=0.7.2) +6 more potentially affected by CVE-2026-44665 via fast-xml-builder (>=1.1.1 <=1.1.4)

fast-xml-builder NPM version =1.1.1, =0.2.0, =0.2.1, =0.0.4, =0.0.1, =10.4.0, =0.1.0, =0.1.2 Source cves: CVE-2026-44665 Source advisory: SNYK:JS-FASTXMLBUILDER-16540558...

GHSA-5WM8-GMM8-39J9 fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes

Summary When an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. Detail Malicious Input a: "@attr": '" onClick="alert1' Output x...

NPM: fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes

NPM: fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes vulnerability discovered by ? in WordPress Npm fast-xml-builder versions = 1.1.6...

NPM: fast-xml-builder Comment Value regex can be bypassed

NPM: fast-xml-builder Comment Value regex can be bypassed vulnerability discovered by ? in WordPress Npm fast-xml-builder versions 1.1.5...

XML Injection

Overview Affected versions of this package are vulnerable to XML Injection due to the incomplete sanitization of XML comments. An attacker can inject arbitrary XML or HTML content by including three consecutive dashes in the comment value. Note: This issue was introduced by the fix for...

@activepieces/piece-amazon-textract (>=0.2.0 <=0.3.0), @activepieces/piece-salesforce (=0.7.2) +6 more potentially affected by CVE-2026-41650 +1 more via fast-xml-builder (>=1.1.1 <=1.1.4)

fast-xml-builder NPM version =1.1.1, =0.2.0, =0.2.1, =0.0.4, =0.0.1, =10.4.0, =0.1.0, =0.1.2 Source cves: CVE-2026-41650, CVE-2026-44664 Source advisory: SNYK:JS-FASTXMLBUILDER-16133760...