CVE-2026-25896

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

9.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N                                    

Vulnerability Description

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

Vulnerability Details

Published Date

February 20, 2026

Last Modified

February 23, 2026

CWE ID

CWE-185

Source

GitHub

Vendor

npm

Product

fast-xml-parser

External References

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-m7jm-9gc2-mpf2
https://github.com/NaturalIntelligence/fast-xml-parser/commit/943ef0eb1b2d3284e72dd74f44a042ee9f07026e
https://github.com/NaturalIntelligence/fast-xml-parser/commit/ddcd0acf26ddd682cb0dc15a2bd6aa3b96bb1e69
https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.5
https://github.com/advisories/GHSA-m7jm-9gc2-mpf2

CVE-2026-25896

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment