CVE-2026-32287

Published: Mar 26, 2026

Modified: Mar 30, 2026

PUBLISHED

Description

Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

Vendor	Product	Versions
github.com/antchfx/xpath	github.com/antchfx/xpath	affected `0 - < 1.3.6`

References

https://github.com/antchfx/xpath/issues/121

https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494

https://github.com/golang/vulndb/issues/4526

https://pkg.go.dev/vuln/GO-2026-4526

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-32287

Description

Affected Products

References