4 matches found
CVE-2026-44665
fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerabili...
CVE-2026-44665
Summary of CVE-2026-44665 details (from provided sources): The vulnerability affects the fast-xml-builder library, where input data containing quotes in attribute values, if the processEntities flag is not enabled, can cause an attribute value to be split into multiple attributes. This enables an...
GHSA-5WM8-GMM8-39J9 fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes
Summary When an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. Detail Malicious Input a: "@attr": '" onClick="alert1' Output x...
PT-2026-39287
Name of the Vulnerable Software and Affected Versions fast-xml-builder versions prior to 1.1.7 Description When input data contains quotes in attribute values and the processEntities flag is disabled, the software incorrectly splits the attribute value into multiple attributes. This allows an...