CVE-2026-4224 Stack overflow parsing XML with deeply nested DTD content models

When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs...

libexpat 代码问题漏洞

libexpat is a streaming XML parser written in C language by the libexpat team. Versions of libexpat prior to 2.7.5 had code vulnerabilities; these vulnerabilities stemmed from allowing null pointer dereferencing when handling empty external parameter entity content...

Stack Overflow

fast-xml-parser is vulnerable to stack overflow vulnerability. The vulnerability is due to improper handling in the XML builder when preserveOrder:true is enabled, which allows an attacker to trigger a stack overflow and crash the application by providing crafted input data...

Linux Distros Unpatched Vulnerability : CVE-2026-27942

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to versio...

📄 fast-xml-parser 5.3.5 Denial of Service

A denial of service vulnerability was identified in fast-xml-parser affecting versions 4.1.3 through 5.3.5. The issue arises from improper handling of XML Document Type Definitions DTD, specifically when processing internal entity expansion. An attacker can supply a crafted XML payload containing...

fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

Impact Application crashes with stack overflow when user use XML builder with prserveOrder:true for following or similar input 'foo': 'bar': '@V': 'baz' Cause: arrToStr was not validating if the input is an array or a string and treating all non-array values as text content. What kind of...

@activepieces/piece-amazon-s3 (>=0.5.4 <=0.5.8), @activepieces/piece-amazon-ses (>=0.0.1 <=0.1.3) +1125 more potentially affected by CVE-2026-27942 via fast-xml-parser (>=5.0.1 <=5.3.7)

fast-xml-parser NPM version =5.0.1, =0.5.4, =0.0.1, =0.5.3, =0.2.1, =13.1.4, =1.0.0, =1.9.12, =1.0.3, =1.1.31, =1.0.0, =1.7.16, =2.33.6, =3.13.0 and more Source cves: CVE-2026-27942 Source advisory: OSV:GHSA-FJ3W-JWP8-X2G3...

GHSA-FJ3W-JWP8-X2G3 fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

Impact Application crashes with stack overflow when user use XML builder with prserveOrder:true for following or similar input 'foo': 'bar': '@V': 'baz' Cause: arrToStr was not validating if the input is an array or a string and treating all non-array values as text content. What kind of...

5-ifc-check-cli (=1.0.0), 7ghost (>=4.11.2 <=4.11.46) +4139 more potentially affected by CVE-2026-27942 via fast-xml-parser (>=4.0.0-beta.2 <=4.5.3)

fast-xml-parser NPM version =4.0.0-beta.2, =4.11.2, =0.1.1, =0.0.2, =1.0.1, =1.0.0, =0.0.1, =1.0.0, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2026-27942 Source advisory: OSV:GHSA-FJ3W-JWP8-X2G3...

CVE-2026-27942

A flaw was found in fast-xml-parser. A user can exploit this flaw by processing specially crafted XML data with the XML builder when the preserveOrder option is enabled. This can lead to a stack overflow, causing the application to crash and resulting in a Denial of Service DoS. Mitigation To...

Buffer Overflow

Overview fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to Buffer Overflow via the XMLBuilder when preserveOrder:true is set. An attacker can cause the application to crash by providing specially crafted input...

5-ifc-check-cli (=1.0.0), 7ghost (>=4.11.2 <=4.11.46) +4139 more potentially affected by CVE-2026-27942 via fast-xml-parser (>=4.0.0-beta.2 <=4.5.3)

fast-xml-parser NPM version =4.0.0-beta.2, =4.11.2, =0.1.1, =0.0.2, =1.0.1, =1.0.0, =0.0.1, =1.0.0, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2026-27942 Source advisory: SNYK:JS-FASTXMLPARSER-15353391...

com.codbex.atlas:codbex-atlas-application (>=2.62.0 <=2.107.0), com.codbex.gaia:codbex-gaia-application (>=2.61.0 <=2.64.0) +22 more potentially affected by CVE-2026-27942 via org.webjars.npm:fast-xml-parser (>=4.5.3 <=5.2.5)

org.webjars.npm:fast-xml-parser MAVEN version =4.5.3, =2.62.0, =2.61.0, =2.52.0, =2.52.0, =2.51.0, =2.51.0, =3.6.0, =2.50.0, =5.0.0, =5.0.0, =11.58.0, =12.2.0, =11.58.0, =11.58.0, =11.48.2, =12.1.0 and more Source cves: CVE-2026-27942 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15353392...

Buffer Overflow

Overview org.webjars.npm:fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to Buffer Overflow via the XMLBuilder when preserveOrder:true is set. An attacker can cause the application to crash by providing special...

@activepieces/piece-amazon-s3 (>=0.5.4 <=0.5.8), @activepieces/piece-amazon-ses (>=0.0.1 <=0.1.3) +1125 more potentially affected by CVE-2026-27942 via fast-xml-parser (>=5.0.1 <=5.3.7)

fast-xml-parser NPM version =5.0.1, =0.5.4, =0.0.1, =0.5.3, =0.2.1, =13.1.4, =1.0.0, =1.9.12, =1.0.3, =1.1.31, =1.0.0, =1.7.16, =2.33.6, =3.13.0 and more Source cves: CVE-2026-27942 Source advisory: SNYK:JS-FASTXMLPARSER-15353391...

DEBIAN-CVE-2026-27942

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with preserveOrder:true. Version 5.3.8 fixes the issue. As...

CVE-2026-27942

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with preserveOrder:true. Version 5.3.8 fixes the issue. As...

CVE-2026-27942

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with preserveOrder:true. Version 5.3.8 fixes the issue. As...

UBUNTU-CVE-2026-27942

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with preserveOrder:true. Version 5.3.8 fixes the issue. As...

CVE-2026-27942 fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with preserveOrder:true. Version 5.3.8 fixes the issue. As...