PatchSiren cyber security CVE debrief
CVE-2026-44665 NaturalIntelligence CVE debrief
fast-xml-builder prior to version 1.1.7 contains an XML attribute injection vulnerability. When processing JSON input containing quotes within attribute values without entity processing enabled, the library incorrectly splits a single attribute into multiple attributes. This behavior allows injection of unintended attributes into generated XML or HTML output. The vulnerability has a CVSS 3.1 score of 6.1 (MEDIUM severity) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low complexity, no privileges required, user interaction needed, scope change, and low impacts to confidentiality and integrity. The issue was published on 2026-05-13 and last modified on 2026-05-18. It is classified under CWE-91 (XML Injection). No known exploitation in the wild or ransomware campaign use has been reported.
- Vendor
- NaturalIntelligence
- Product
- fast-xml-builder
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-05-18
Who should care
Organizations using fast-xml-builder versions prior to 1.1.7 to generate XML or HTML from untrusted or partially trusted JSON input. Particularly relevant for applications generating HTML documents, SVG content, or XML configurations where attribute integrity is security-critical. Web applications using this library for server-side rendering or API response formatting should prioritize patching.
Technical summary
The fast-xml-builder library constructs XML documents from JSON input. In versions prior to 1.1.7, when the `processEntities` option is disabled (default or explicitly set), double quote characters within attribute values are not properly escaped or handled. This causes the XML serializer to interpret the quote as terminating the current attribute, with subsequent content being parsed as additional attributes. An attacker controlling JSON input could craft values containing quote characters followed by attribute-like syntax (e.g., `value='x' onclick='y'`), resulting in injection of arbitrary attributes into the output document. This is particularly dangerous when the generated XML/HTML is rendered in browser contexts, as injected event handler attributes could enable cross-site scripting. The fix in version 1.1.7 ensures proper handling of quote characters regardless of entity processing configuration.
Defensive priority
medium
Recommended defensive actions
- Upgrade fast-xml-builder to version 1.1.7 or later to remediate the XML attribute injection vulnerability
- Review application code that passes user-controlled data to fast-xml-builder to ensure proper input validation
- Enable entity processing if application requirements permit, as this configuration prevents the attribute splitting behavior
- Audit generated XML/HTML output for unexpected attributes if running vulnerable versions
- Monitor for security advisories from the fast-xml-builder project for related fixes
Evidence notes
Vulnerability confirmed through GitHub Security Advisory GHSA-5wm8-gmm8-39j9. Fix version 1.1.7 explicitly addresses the attribute splitting behavior when quotes are present in input data without entity processing.
Official resources
-
CVE-2026-44665 CVE record
CVE.org
-
CVE-2026-44665 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-13