6.1
CVE-2026-41650
- EPSS 0.24%
- Veröffentlicht 07.05.2026 13:36:55
- Zuletzt bearbeitet 12.05.2026 20:30:29
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Naturalintelligence ≫ Fast-xml-parser Version < 5.7.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.146 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-91 XML Injection (aka Blind XPath Injection)
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6
https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.6.0