CVE-2026-25128 fast-xml-parser has RangeError DoS Numeric Entities Bug

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-rang...

CVE-2026-25128

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-rang...

EUVD-2026-5026

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-rang...

CVE-2026-25128

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-rang...

CVE-2026-25128

The CVE-2026-25128 issue affects the fast-xml-parser library (XMLParser) where numeric entity processing can trigger a RangeError when parsing out-of-range code points (e.g., � or �). The vulnerability exists in versions 4.3.6 through 5.3.3 and causes an uncaught exception, crashing applications ...

CVE-2026-25128 fast-xml-parser has RangeError DoS Numeric Entities Bug

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-rang...

PT-2026-5410

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions 4.3.6 through 5.3.3 Description fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a...

MiracleLinux 7 : xerces-c-3.1.1-10.el7 (AXSA:2020-4490:01)

The remote MiracleLinux 7 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2020-4490:01 advisory. xerces-c: XML parser contains a use-after-free error triggered during the scanning of external DTDs CVE-2018-1311 Tenable has extracted the preceding...

MiracleLinux 8 : python27:2.7 (AXSA:2021-2091:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2021-2091:01 advisory. python: CRLF injection via HTTP request method in httplib/http.client CVE-2020-26116 python-urllib3: CRLF injection via HTTP request method...

MiracleLinux 4 : expat-2.0.1-11.AXS4 (AXSA:2012-577:01)

The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2012-577:01 advisory. This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers wi...

MiracleLinux 4 : libxml2-2.7.6-14.1.0.2.AXS4 (AXSA:2014-350:02)

The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2014-350:02 advisory. This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes...

CVE-2023-49656

Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

CVE-2018-14383

The Transition Technologies "The Scheduler" app 5.1.3 for Jira allows XXE due to a weakly configured/parameterized XML parser. It was fixed in the versions 5.2.1 and 3.3.7...

CVE-2021-28684

The XML parser used in ConeXware PowerArchiver before 20.10.02 allows processing of external entities, which might lead to exfiltration of local files over the network via an XXE attack...

CVE-2021-28110

/exec in TranzWare e-Commerce Payment Gateway TWEC PG before 3.1.27.5 had a vulnerability in its XML parser...

CVE-2020-12684

XXE injection can occur in i-net Clear Reports 2019 19.0.287 Designer, as used in i-net HelpDesk and other products, when XML input containing a reference to an external entity is processed by a weakly configured XML parser...

CVE-2026-21499

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML parser. This issue has been patched in version 2.3.1.2...

CVE-2022-23640

Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a patch. There is no...

CVE-2026-21499

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML parser. This issue has been patched in version 2.3.1.2...

CVE-2026-21502 NULL Pointer Dereference in iccDEV XML Tag Parser

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML tag parser. This issue has been patched in version 2.3.1.2...