CVE-2026-26278

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by processEntities: false option.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-776"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26278.json"
}

References

Affected packages

Git / github.com/naturalintelligence/fast-xml-parser

Affected ranges

Type

GIT

Repo

https://github.com/naturalintelligence/fast-xml-parser

Events

Introduced

2f7d138af8338aaf65c1d98902f76259c7233373

Fixed

ecb2ca118ad3d6c62f2cc90416b58da24db5d18b

Database specific

{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.3.6"
        }
    ]
}

Type

GIT

Repo

https://github.com/naturalintelligence/fast-xml-parser

Events

Introduced

292fb784334043214e29fa60adbb5630a36f5768

Fixed

d4eb6b4713a8d11e6730943392419040898ecbc0

Database specific

{
    "versions": [
        {
            "introduced": "4.1.3"
        },
        {
            "fixed": "4.5.4"
        }
    ]
}

Affected versions

v4.*

v4.1.3

v4.1.4

v4.2.0

v4.2.3

v4.2.4

v4.2.5

v4.2.6

v4.2.7

v4.3.0

v4.3.1

v4.3.2

v4.3.3

v4.3.4

v4.3.5

v4.3.6

v4.4.0

v4.4.1

v4.5.0

v4.5.1

v4.5.2

v4.5.3

v5.*

v5.0.0

v5.0.2

v5.0.4

v5.0.6

v5.0.7

v5.0.9

v5.1.0

v5.2.0

v5.2.1

v5.2.2

v5.2.3

v5.2.5

v5.3.0

v5.3.1

v5.3.2

v5.3.3

v5.3.4

v5.3.5

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26278.json"