GHSA-5wm8-gmm8-39j9

Suggest an improvement
Source
https://github.com/advisories/GHSA-5wm8-gmm8-39j9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5wm8-gmm8-39j9/GHSA-5wm8-gmm8-39j9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5wm8-gmm8-39j9
Aliases
  • CVE-2026-44665
Downstream
Related
Published
2026-05-08T16:29:10Z
Modified
2026-05-14T20:48:46.153952Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes
Details

Summary

When an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.

Detail

Malicious Input

{
      a: {
        "@_attr": '" onClick="alert(1)'
      }
}

Output

<a attr="" onClick="alert(1)"></a>

Workarounds

If you're not ignoring attributes then keep processEntities flag true.

Database specific 
{
    "cwe_ids": [
        "CWE-611",
        "CWE-91"
    ],
    "nvd_published_at": "2026-05-13T16:16:59Z",
    "severity": "HIGH",
    "github_reviewed_at": "2026-05-08T16:29:10Z",
    "github_reviewed": true
}
References

Affected packages

npm / fast-xml-builder

Package

Name
fast-xml-builder
View open source insights on deps.dev
Purl
pkg:npm/fast-xml-builder

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.7

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5wm8-gmm8-39j9/GHSA-5wm8-gmm8-39j9.json"
last_known_affected_version_range 
"<= 1.1.6"