CVE-2026-25896
CriticalCVSS 9.3Exploitation Probability (EPSS)
Low risk36th percentile - higher than 36% of all known CVEs
Summary
In the fast-xml-parser library from version 4.1.3 to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered.
Risk Assessment
The organization is exposed to Cross-Site Scripting (XSS) attacks, which could allow injection of malicious JavaScript code into web pages, potentially leading to session data theft, redirects, or content manipulation.
Recommendation
Immediately update the fast-xml-parser library to version 5.3.5 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

