GHSA-45c6-75p6-83cc

Source

https://github.com/advisories/GHSA-45c6-75p6-83cc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-45c6-75p6-83cc/GHSA-45c6-75p6-83cc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-45c6-75p6-83cc

Aliases

CVE-2026-44664

Downstream

MINI-83f7-qrgh-ghfj

Related

CGA-7hpm-mm6g-4846

Published

2026-05-08T16:27:28Z

Modified

2026-05-09T12:44:16.878217944Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

fast-xml-builder Comment Value regex can be bypassed

Details

Summary

The fix for https://github.com/advisories/GHSA-gh4j-gqv2-49f6 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content.

Impact

Any application with comment property enabled allow attacker to inject malicious or unwanted code like JS script tag in the XML/HTML output.

Workarounds

Check for the presence of 3 consecutive dashes externally in the property value used for comment tag.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T16:27:28Z",
    "cwe_ids": [
        "CWE-91"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}

References

Affected packages

npm / fast-xml-builder

Package

Name: fast-xml-builder; View open source insights on deps.dev
Purl: pkg:npm/fast-xml-builder

Affected ranges

Type: SEMVER
Events: Introduced

1.1.5

Fixed

1.1.6

Affected versions

1.*

1.1.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-45c6-75p6-83cc/GHSA-45c6-75p6-83cc.json"