CVE-2026-26278

Published: Feb 19, 2026

Modified: Mar 2, 2026

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.

Vendor	Product	Versions
NaturalIntelligence	fast-xml-parser	affected `>= 5.0.0, < 5.3.6` affected `>= 4.1.3, < 4.5.4`

Weaknesses (CWE)

CWE-776

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj

x_refsource_CONFIRM

https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77

x_refsource_MISC

https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-26278

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References