9.3
CVE-2026-25896
- EPSS 0.04%
- Veröffentlicht 20.02.2026 21:19:27
- Zuletzt bearbeitet 02.03.2026 14:54:02
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch National Vulnerability Database (NVD)
Naturalintelligence ≫ Fast-xml-parser Version >= 4.1.3 < 5.3.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.04% | 0.12 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 9.3 | 3.9 | 4.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
|
CWE-185 Incorrect Regular Expression
The product specifies a regular expression in a way that causes data to be improperly matched or compared.