CVE-2026-44665

Source
https://cve.org/CVERecord?id=CVE-2026-44665
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44665.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44665
Aliases
Downstream
Related
Published
2026-05-13T15:24:54.596Z
Modified
2026-07-08T08:02:17.326434733Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes
Details

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44665.json",
    "cwe_ids": [
        "CWE-91"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/naturalintelligence/fast-xml-builder

Affected ranges

Type
GIT
Repo
https://github.com/naturalintelligence/fast-xml-builder
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.1.7"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v1.*
v1.1.0
v1.1.1
v1.1.2
v1.1.4
v1.1.5
v1.1.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44665.json"