MEDIUM
NaturalIntelligence
CVE published 2026-05-13
CVE-2026-44665
fast-xml-builder prior to version 1.1.7 contains an XML attribute injection vulnerability. When processing JSON input containing quotes within attribute values without entity processing enabled, the library incorrectly splits a single attribute into multiple attributes. This behavior allows injection of unintended attributes into generated XML or HTML output. The vulnerability has a CVSS 3.1 score of 6.1 [truncated]