CVE-2026-25896

EUVD-2026-7529

20.02.2026, 21:19

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (&lt;, &gt;, &amp;, &quot;, &apos;) with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.3 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
naturalintelligence	fast-xml-parser	4.1.3 ≤ 𝑥 < 5.3.5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

node-webfont

bookworm	undetermined
forky	undetermined
sid	undetermined
trixie	undetermined

Known Exploits!

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-m7jm-9gc2-mpf2

Common Weakness Enumeration

CWE-185 - Incorrect Regular Expression
The software specifies a regular expression in a way that causes data to be improperly matched or compared.

References

https://github.com/NaturalIntelligence/fast-xml-parser/commit/943ef0eb1b2d3284e72dd74f44a042ee9f07026e

https://github.com/NaturalIntelligence/fast-xml-parser/commit/ddcd0acf26ddd682cb0dc15a2bd6aa3b96bb1e69

https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.5

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-m7jm-9gc2-mpf2