CVE Catalog

CVE-2026-25896

CriticalCVSS 9.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.45%

36th percentile - higher than 36% of all known CVEs

Summary

In the fast-xml-parser library from version 4.1.3 to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered.

Risk Assessment

The organization is exposed to Cross-Site Scripting (XSS) attacks, which could allow injection of malicious JavaScript code into web pages, potentially leading to session data theft, redirects, or content manipulation.

Recommendation

Immediately update the fast-xml-parser library to version 5.3.5 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS