CVE-2026-26278 fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible ...

CVE-2026-26278

CVE-2026-26278 affects the fast-xml-parser library. In versions 4.1.3 through 5.3.5, the XML parser could be forced into unbounded entity expansion, causing a single small XML input to consume seconds/minutes of CPU time and freeze the app. The issue is resolved in version 5.3.6. A workaround is ...

CVE-2026-26278

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible ...

fast-xml-parser 安全漏洞

fast-xml-parser is an open-source library developed by Natural Intelligence. It is used for quickly validating, parsing, and processing XML files without relying on C/C++-based libraries or callbacks. Fast-xml-parser versions 5.3.5 and earlier contain security vulnerabilities. These vulnerabiliti...

Linux Distros Unpatched Vulnerability : CVE-2026-26278

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1...

AIX (IJ57282)

The version of AIX installed on the remote host is prior to APAR IJ57282. It is, therefore, affected by a vulnerability as referenced in the IJ57282 advisory. - A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function...

@activepieces/piece-amazon-s3 (>=0.5.4 <=0.5.8), @activepieces/piece-amazon-ses (>=0.0.1 <=0.1.3) +1093 more potentially affected by CVE-2026-26278 via fast-xml-parser (>=5.0.1 <=5.3.5)

fast-xml-parser NPM version =5.0.1, =0.5.4, =0.0.1, =13.1.4, =1.0.0, =1.9.12, =1.0.3, =1.1.31, =1.0.0, =1.7.16, =2.33.6, =1.4.37, =1.6.11, =1.7.1 and more Source cves: CVE-2026-26278 Source advisory: OSV:GHSA-JMR7-XGP7-CMFJ...

GHSA-JMR7-XGP7-CMFJ fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)

Summary The XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Details There is a check in DocTypeReader.js that trie...

@activepieces/piece-amazon-s3 (>=0.5.4 <=0.5.8), @activepieces/piece-amazon-ses (>=0.0.1 <=0.1.3) +1093 more potentially affected by CVE-2026-26278 via fast-xml-parser (>=5.0.1 <=5.3.5)

fast-xml-parser NPM version =5.0.1, =0.5.4, =0.0.1, =13.1.4, =1.0.0, =1.9.12, =1.0.3, =1.1.31, =1.0.0, =1.7.16, =2.33.6, =1.4.37, =1.6.11, =1.7.1 and more Source cves: CVE-2026-26278 Source advisory: SNYK:JS-FASTXMLPARSER-15307668...

5-ifc-check-cli (=1.0.0), 7ghost (>=4.11.2 <=4.11.46) +3889 more potentially affected by CVE-2026-26278 via fast-xml-parser (>=4.1.3 <=4.5.3)

fast-xml-parser NPM version =4.1.3, =4.11.2, =0.1.1, =0.0.2, =1.0.1, =1.0.0, =0.0.1, =1.0.0, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2026-26278 Source advisory: OSV:GHSA-JMR7-XGP7-CMFJ...

5-ifc-check-cli (=1.0.0), 7ghost (>=4.11.2 <=4.11.46) +3889 more potentially affected by CVE-2026-26278 via fast-xml-parser (>=4.1.3 <=4.5.3)

fast-xml-parser NPM version =4.1.3, =4.11.2, =0.1.1, =0.0.2, =1.0.1, =1.0.0, =0.0.1, =1.0.0, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2026-26278 Source advisory: SNYK:JS-FASTXMLPARSER-15307668...

XML Entity Expansion

Overview fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to XML Entity Expansion in replaceEntitiesValue when handling excessive DOCTYPE input. An attacker can cause excessive resource consumption and make the...

com.codbex.atlas:codbex-atlas-application (>=2.62.0 <=2.108.0), com.codbex.gaia:codbex-gaia-application (>=2.61.0 <=2.64.0) +22 more potentially affected by CVE-2026-26278 via org.webjars.npm:fast-xml-parser (>=4.5.3 <=5.2.5)

org.webjars.npm:fast-xml-parser MAVEN version =4.5.3, =2.62.0, =2.61.0, =2.52.0, =2.52.0, =2.51.0, =2.51.0, =3.6.0, =2.50.0, =5.0.0, =5.0.0, =11.58.0, =12.2.0, =11.58.0, =11.58.0, =11.48.2, =12.1.0 and more Source cves: CVE-2026-26278 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15325721...

fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)

Summary The XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Details There is a check in DocTypeReader.js that trie...

[SECURITY] Fedora 42 Update: mingw-expat-2.7.4-1.fc42

This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with the parser prior to starting the parse. These handlers are called when the parser discovers the associated structures in the document being parse...

[SECURITY] Fedora 43 Update: mingw-expat-2.7.4-1.fc43

This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with the parser prior to starting the parse. These handlers are called when the parser discovers the associated structures in the document being parse...

CLSA-2026-1770735514 expat: Fix of CVE-2026-24515

CVE-2026-24515: Fix a null pointer dereference in the XML parser caused by the failure to copy user data for unknown encoding handlers...

poc-ghsa-37qj-frw5-hhjh

PoC: GHSA-37qj-frw5-hhjh — fast-xml-...

CLSA-2026-1770734305 expat: Fix of CVE-2026-24515

CVE-2026-24515: Fix a null pointer dereference in the XML parser caused by the failure to copy user data for unknown encoding handlers...

Moderate: Red Hat Security Advisory: python3.9 security update

An update for python3.9 is now available for Red Hat Enterprise Linux 9.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available fo...