fast-xml-builder prior to version 1.1.7 contains an XML attribute injection vulnerability. When processing JSON input containing quotes within attribute values without entity processing enabled, the library incorrectly splits a single attribute into multiple attributes. This behavior allows injection of unintended attributes into generated XML or HTML output. The vulnerability has a CVSS 3.1 score of 6.1 [truncated]
CRITICALNaturalIntelligenceCVE published 2026-02-20
A critical vulnerability was discovered in fast-xml-parser, a popular XML parsing library. The vulnerability, tracked as CVE-2026-25896, allows an attacker to inject malicious XML entities, leading to cross-site scripting (XSS) attacks. The vulnerability affects versions 4.1.3 to before 5.3.5 of the library. An attacker can exploit this vulnerability by crafting a malicious XML document that is then parse [truncated]