CVE-2026-25896

CRITICAL EPSS 35.8%
Published Feb 20, 20264mo ago · Modified Jun 17, 20261w ago
9.3 CVSS 3.1
Critical
Find Similar
Published Feb 20, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

CVSS Details

Base Score
9.3
Exploitability
3.9
Impact
4.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Low
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
35.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-185

Affected Products 1

VendorProductVersionRange
naturalintelligencefast-xml-parser*≥4.1.3  –  <5.3.5

References 4

  • github.com https://github.com/NaturalIntelligence/fast-xml-parser/commit/943ef0eb1b2d3284e72dd74f44a042ee9f07026e
    Patch
  • github.com https://github.com/NaturalIntelligence/fast-xml-parser/commit/ddcd0acf26ddd682cb0dc15a2bd6aa3b96bb1e69
    Patch
  • github.com https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.5
    ProductRelease Notes
  • github.com https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-m7jm-9gc2-mpf2
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/NaturalIntelligence/fast-xml-parser/commit/943ef0eb1b2d3284e72dd74f44a042ee9f07026e
    Patch
  • github.com https://github.com/NaturalIntelligence/fast-xml-parser/commit/ddcd0acf26ddd682cb0dc15a2bd6aa3b96bb1e69
    Patch