CVE-2026-41650

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.1 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N                                    

Vulnerability Description

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.

Vulnerability Details

Published Date

April 22, 2026

Last Modified

May 12, 2026

CWE ID

CWE-91

Source

GitHub

Vendor

npm

Product

fast-xml-parser

External References

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6
https://github.com/advisories/GHSA-gh4j-gqv2-49f6

CVE-2026-41650

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment