fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

Description

No description available.

Recommendation

Update the fast-xml-parser package to the latest compatible version. Followings are version details:

• Affected version(s): < 5.7.0
• Patched version(s): 5.7.0

References

• GHSA-gh4j-gqv2-49f6
• CVE-2026-41650
• CWE-91
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names - CVE-2026-25896
• fast-xml-parser has stack overflow in XMLBuilder with preserveOrder - CVE-2026-27942
• fast-xml-parser vulnerable to Regex Injection via Doctype Entities - CVE-2023-34104
• fast-xml-parser has RangeError DoS Numeric Entities Bug - CVE-2026-25128

You might also like:

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

fast-xml-parser