Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser

Summary The DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in...

0xuath-sdk-react (>=0.0.2 <=0.0.23), 1-test-gulp-1 (>=0.0.1 <=0.0.4) +15079 more potentially affected by CVE-2026-33349 via fast-xml-parser (>=4.0.0-beta.7 <=5.5.6)

fast-xml-parser NPM version =4.0.0-beta.7, =0.0.2, =0.0.1, =0.0.1, =1.0.0, =3.1.4, =3.1.6, =0.1.0, =0.0.2, =4.11.2, =0.1.1, =1.0.1 and more Source cves: CVE-2026-33349 Source advisory: SNYK:JS-FASTXMLPARSER-15699647...

5-ifc-check-cli (=1.0.0), 7ghost (>=4.11.2 <=4.11.46) +4171 more potentially affected by CVE-2026-33349 via fast-xml-parser (>=4.0.0-beta.7 <=4.5.4)

fast-xml-parser NPM version =4.0.0-beta.7, =4.11.2, =0.1.1, =0.0.2, =1.0.1, =1.0.0, =0.0.1, =1.0.0, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2026-33349 Source advisory: OSV:GHSA-JP2Q-39XQ-3W4G...

EUVD-2006-7232

XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buffer size cause a heap corruption double free or corruption and crashes. A :utf8 PerlIO layer, parsestream in Expat.xs could overflow the XML input buffer because Perl's read returns decoded characters while SvPV gives...

CVE-2006-10003

XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in stserialstack. In the case stackptr == stacksize - 1, the stack will NOT be expanded. Then the new value will be written at location ++stackptr, which equals stacksize and therefore falls just outside the allocat...

CVE-2006-10002

XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption double free or corruption and crashes. A :utf8 PerlIO layer, parsestream in Expat.xs could overflow the XML input buffer because Perl's read returns decoded characters while SvPV gives...

UBUNTU-CVE-2006-10002

XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption double free or corruption and crashes. A :utf8 PerlIO layer, parsestream in Expat.xs could overflow the XML input buffer because Perl's read returns decoded characters while SvPV gives...

CVE-2006-10003 XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack

XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in stserialstack. In the case stackptr == stacksize - 1, the stack will NOT be expanded. Then the new value will be written at location ++stackptr, which equals stacksize and therefore falls just outside the allocat...

CVE-2006-10003

XML::Parser for Perl versions through 2.47 contains an off-by-one heap buffer overflow in st_serial_stack. When stackptr == stacksize - 1, the stack should not expand, yet the code writes to (++stackptr) which equals stacksize, falling outside the allocated buffer and enabling memory corruption u...

CVE-2006-10002 XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes

XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption double free or corruption and crashes. A :utf8 PerlIO layer, parsestream in Expat.xs could overflow the XML input buffer because Perl's read returns decoded characters while SvPV gives...

CVE-2006-10002

XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption double free or corruption and crashes. A :utf8 PerlIO layer, parsestream in Expat.xs could overflow the XML input buffer because Perl's read returns decoded characters while SvPV gives...

CVE-2006-10002 XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes

XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption double free or corruption and crashes. A :utf8 PerlIO layer, parsestream in Expat.xs could overflow the XML input buffer because Perl's read returns decoded characters while SvPV gives...

CVE-2006-10002

CVE-2006-10002 affects XML::Parser for Perl up to version 2.47. The root cause is in A utf8 PerlIO layer, parse_stream() in Expat.xs where Perl's read() returns decoded characters while SvPV() provides multi-byte UTF-8 bytes, potentially overflowing the pre-allocated XML input buffer. This can le...

Linux Distros Unpatched Vulnerability : CVE-2006-10002

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption double free or corruption and crashes. A :utf8...

XML::Parser 安全漏洞

XML::Parser is an open-source Perl-based XML document parsing module developed by contributors on CPAN. Versions of XML::Parser 2.47 and earlier contained security vulnerabilities; these vulnerabilities were caused by XML input buffer overflows, which could lead to heap corruption and system...

PT-2026-26487

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions 4.0.0-beta.3 through 5.5.6 Description The DocTypeReader in fast-xml-parser incorrectly uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer sets either limi...

Linux Distros Unpatched Vulnerability : CVE-2006-10003

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in stserialstack. In the case stackptr == stacksize - 1, the stack will NOT be...

XML Entity Expansion

Overview fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to XML Entity Expansion in the replaceEntitiesValue function, which doesn't protect unlimited expansion of numeric entities the way it does DOCTYPE data ...

com.codbex.atlas:codbex-atlas-application (>=2.62.0 <=2.108.0), com.codbex.gaia:codbex-gaia-application (>=2.61.0 <=2.64.0) +22 more potentially affected by CVE-2026-26278 +1 more via org.webjars.npm:fast-xml-parser (>=4.5.3 <=5.2.5)

org.webjars.npm:fast-xml-parser MAVEN version =4.5.3, =2.62.0, =2.61.0, =2.52.0, =2.52.0, =2.51.0, =2.51.0, =3.6.0, =2.50.0, =5.0.0, =5.0.0, =11.58.0, =12.2.0, =11.58.0, =11.58.0, =11.48.2, =12.1.0 and more Source cves: CVE-2026-26278, CVE-2026-33036 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15677...

0xuath-sdk-react (>=0.0.2 <=0.0.23), 1-test-gulp-1 (>=0.0.1 <=0.0.4) +15077 more potentially affected by CVE-2026-26278 +1 more via fast-xml-parser (>=4.0.0-beta.2 <=5.5.5)

fast-xml-parser NPM version =4.0.0-beta.2, =0.0.2, =0.0.1, =0.0.1, =1.0.0, =3.1.4, =3.1.6, =0.1.0, =0.0.2, =4.11.2, =0.1.1, =1.0.1 and more Source cves: CVE-2026-26278, CVE-2026-33036 Source advisory: SNYK:JS-FASTXMLPARSER-15677840...