XML Entity Expansion

Overview org.webjars.npm:fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to XML Entity Expansion in the replaceEntitiesValue function, which doesn't protect unlimited expansion of numeric entities the way it do...

@activepieces/piece-amazon-s3 (>=0.5.4 <=0.5.8), @activepieces/piece-amazon-ses (>=0.0.1 <=0.1.3) +1168 more potentially affected by CVE-2026-33036 via fast-xml-parser (>=5.0.1 <=5.5.5)

fast-xml-parser NPM version =5.0.1, =0.5.4, =0.0.1, =0.5.3, =0.2.1, =13.1.4, =1.0.0, =1.9.12, =1.0.3, =1.1.31, =1.0.0, =1.7.16, =2.33.6, =3.13.0 and more Source cves: CVE-2026-33036 Source advisory: OSV:GHSA-8GC5-J5RX-235R...

GHSA-8GC5-J5RX-235R fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)

Summary The fix for CVE-2026-26278 added entity expansion limits maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. Numeric character references &NNN; and &xH...

5-ifc-check-cli (=1.0.0), 7ghost (>=4.11.2 <=4.11.46) +4171 more potentially affected by CVE-2026-33036 via fast-xml-parser (>=4.0.0-beta.7 <=4.5.4)

fast-xml-parser NPM version =4.0.0-beta.7, =4.11.2, =0.1.1, =0.0.2, =1.0.1, =1.0.0, =0.0.1, =1.0.0, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2026-33036 Source advisory: OSV:GHSA-8GC5-J5RX-235R...

fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)

Summary The fix for CVE-2026-26278 added entity expansion limits maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. Numeric character references &NNN; and &xH...

PT-2026-25995

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions 4.0.0-beta.3 through 5.5.5 Description fast-xml-parser allows users to process XML from JavaScript objects without relying on C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass tha...

CVE-2026-4224

When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs...

CVE-2026-4224 Stack overflow parsing XML with deeply nested DTD content models

When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs...

libexpat 代码问题漏洞

libexpat is a streaming XML parser written in C language by the libexpat team. Versions of libexpat prior to 2.7.5 had code vulnerabilities; these vulnerabilities stemmed from allowing null pointer dereferencing when handling empty external parameter entity content...

Stack Overflow

fast-xml-parser is vulnerable to stack overflow vulnerability. The vulnerability is due to improper handling in the XML builder when preserveOrder:true is enabled, which allows an attacker to trigger a stack overflow and crash the application by providing crafted input data...

Linux Distros Unpatched Vulnerability : CVE-2026-27942

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to versio...

📄 fast-xml-parser 5.3.5 Denial of Service

A denial of service vulnerability was identified in fast-xml-parser affecting versions 4.1.3 through 5.3.5. The issue arises from improper handling of XML Document Type Definitions DTD, specifically when processing internal entity expansion. An attacker can supply a crafted XML payload containing...

fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

Impact Application crashes with stack overflow when user use XML builder with prserveOrder:true for following or similar input 'foo': 'bar': '@V': 'baz' Cause: arrToStr was not validating if the input is an array or a string and treating all non-array values as text content. What kind of...

@activepieces/piece-amazon-s3 (>=0.5.4 <=0.5.8), @activepieces/piece-amazon-ses (>=0.0.1 <=0.1.3) +1117 more potentially affected by CVE-2026-27942 via fast-xml-parser (>=5.0.1 <=5.3.7)

fast-xml-parser NPM version =5.0.1, =0.5.4, =0.0.1, =0.5.3, =0.2.1, =13.1.4, =1.0.0, =1.9.12, =1.0.3, =1.1.31, =1.0.0, =1.7.16, =2.33.6, =3.13.0 and more Source cves: CVE-2026-27942 Source advisory: OSV:GHSA-FJ3W-JWP8-X2G3...

GHSA-FJ3W-JWP8-X2G3 fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

Impact Application crashes with stack overflow when user use XML builder with prserveOrder:true for following or similar input 'foo': 'bar': '@V': 'baz' Cause: arrToStr was not validating if the input is an array or a string and treating all non-array values as text content. What kind of...

5-ifc-check-cli (=1.0.0), 7ghost (>=4.11.2 <=4.11.46) +4170 more potentially affected by CVE-2026-27942 via fast-xml-parser (>=4.0.0-beta.2 <=4.5.3)

fast-xml-parser NPM version =4.0.0-beta.2, =4.11.2, =0.1.1, =0.0.2, =1.0.1, =1.0.0, =0.0.1, =1.0.0, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2026-27942 Source advisory: OSV:GHSA-FJ3W-JWP8-X2G3...

CVE-2026-27942

A flaw was found in fast-xml-parser. A user can exploit this flaw by processing specially crafted XML data with the XML builder when the preserveOrder option is enabled. This can lead to a stack overflow, causing the application to crash and resulting in a Denial of Service DoS. Mitigation To...

Buffer Overflow

Overview fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to Buffer Overflow via the XMLBuilder when preserveOrder:true is set. An attacker can cause the application to crash by providing specially crafted input...

5-ifc-check-cli (=1.0.0), 7ghost (>=4.11.2 <=4.11.46) +4170 more potentially affected by CVE-2026-27942 via fast-xml-parser (>=4.0.0-beta.2 <=4.5.3)

fast-xml-parser NPM version =4.0.0-beta.2, =4.11.2, =0.1.1, =0.0.2, =1.0.1, =1.0.0, =0.0.1, =1.0.0, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2026-27942 Source advisory: SNYK:JS-FASTXMLPARSER-15353391...

com.codbex.atlas:codbex-atlas-application (>=2.62.0 <=2.108.0), com.codbex.gaia:codbex-gaia-application (>=2.61.0 <=2.64.0) +22 more potentially affected by CVE-2026-27942 via org.webjars.npm:fast-xml-parser (>=4.5.3 <=5.2.5)

org.webjars.npm:fast-xml-parser MAVEN version =4.5.3, =2.62.0, =2.61.0, =2.52.0, =2.52.0, =2.51.0, =2.51.0, =3.6.0, =2.50.0, =5.0.0, =5.0.0, =11.58.0, =12.2.0, =11.58.0, =11.58.0, =11.48.2, =12.1.0 and more Source cves: CVE-2026-27942 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15353392...