2719 matches found
CVE-2026-25896 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...
CVE-2026-25896
CVE-2026-25896 affects the Node.js XML parser fast-xml-parser. From 4.1.3 up to (but not including) 5.3.5, a dot in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing shadowing of built-in entities and bypassing encoding, which can lead to XSS when parsed out...
CVE-2026-25896 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...
@activepieces/piece-amazon-s3 (>=0.5.4 <=0.5.8), @activepieces/piece-amazon-ses (>=0.0.1 <=0.1.3) +1091 more potentially affected by CVE-2026-25896 via fast-xml-parser (>=5.0.1 <=5.3.4)
fast-xml-parser NPM version =5.0.1, =0.5.4, =0.0.1, =13.1.4, =1.0.0, =1.9.12, =1.0.3, =1.1.31, =1.0.0, =1.7.16, =2.33.6, =1.4.37, =1.6.11, =1.7.1 and more Source cves: CVE-2026-25896 Source advisory: OSV:GHSA-M7JM-9GC2-MPF2...
GHSA-M7JM-9GC2-MPF2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
Entity encoding bypass via regex injection in DOCTYPE entity names Summary A dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities , , &, ", ' with arbitrary values. This bypasses entity encoding and leads to...
Incorrect Regular Expression
Overview org.webjars.npm:fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to Incorrect Regular Expression in the entity parsing RegEx in DOCTYPE declarations. An attacker can inject arbitrary values that overrid...
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
Entity encoding bypass via regex injection in DOCTYPE entity names Summary A dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities , , &, ", ' with arbitrary values. This bypasses entity encoding and leads to...
com.codbex.atlas:codbex-atlas-application (>=2.62.0 <=2.108.0), com.codbex.gaia:codbex-gaia-application (>=2.61.0 <=2.64.0) +22 more potentially affected by CVE-2026-25896 via org.webjars.npm:fast-xml-parser (>=4.5.3 <=5.2.5)
org.webjars.npm:fast-xml-parser MAVEN version =4.5.3, =2.62.0, =2.61.0, =2.52.0, =2.52.0, =2.51.0, =2.51.0, =3.6.0, =2.50.0, =5.0.0, =5.0.0, =11.58.0, =12.2.0, =11.58.0, =11.58.0, =11.48.2, =12.1.0 and more Source cves: CVE-2026-25896 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15324290...
5-ifc-check-cli (=1.0.0), 7ghost (>=4.11.2 <=4.11.46) +3889 more potentially affected by CVE-2026-25896 via fast-xml-parser (>=4.1.3 <=4.5.3)
fast-xml-parser NPM version =4.1.3, =4.11.2, =0.1.1, =0.0.2, =1.0.1, =1.0.0, =0.0.1, =1.0.0, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2026-25896 Source advisory: SNYK:JS-FASTXMLPARSER-15324289...
Incorrect Regular Expression
Overview fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to Incorrect Regular Expression in the entity parsing RegEx in DOCTYPE declarations. An attacker can inject arbitrary values that override built-in XML...
5-ifc-check-cli (=1.0.0), 7ghost (>=4.11.2 <=4.11.46) +3889 more potentially affected by CVE-2026-25896 via fast-xml-parser (>=4.1.3 <=4.5.3)
fast-xml-parser NPM version =4.1.3, =4.11.2, =0.1.1, =0.0.2, =1.0.1, =1.0.0, =0.0.1, =1.0.0, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2026-25896 Source advisory: OSV:GHSA-M7JM-9GC2-MPF2...
@activepieces/piece-amazon-s3 (>=0.5.4 <=0.5.8), @activepieces/piece-amazon-ses (>=0.0.1 <=0.1.3) +1091 more potentially affected by CVE-2026-25896 via fast-xml-parser (>=5.0.1 <=5.3.4)
fast-xml-parser NPM version =5.0.1, =0.5.4, =0.0.1, =13.1.4, =1.0.0, =1.9.12, =1.0.3, =1.1.31, =1.0.0, =1.7.16, =2.33.6, =1.4.37, =1.6.11, =1.7.1 and more Source cves: CVE-2026-25896 Source advisory: SNYK:JS-FASTXMLPARSER-15324289...
fast-xml-parser 安全漏洞
fast-xml-parser is an open-source library developed by Natural Intelligence. It is used for quickly validating, parsing, and processing XML files without relying on C/C++-based libraries or callbacks. There were security vulnerabilities in versions 4.1.3 to 5.3.5 of fast-xml-parser, where the dot...
PT-2026-21298
Name of the Vulnerable Software and Affected Versions fast-xml-parser versions 4.1.3 through 5.3.5 Description fast-xml-parser has a flaw in how it handles DOCTYPE entity names during XML parsing. Specifically, a dot . within an entity name is treated as a regex wildcard during entity replacement...
CVE-2026-26278
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible ...
CVE-2026-26278
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible ...
UBUNTU-CVE-2026-26278
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible ...
CVE-2026-26278 fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible ...
CVE-2026-26278
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible ...
CVE-2026-26278 fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible ...