CVE-2026-41650
MEDIUM
6,1
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: changed
Confidentiality: low
Integrity: low
Availability: none
Description
AI Translation Available
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the '-->' sequence in comment content or the ']]>' sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,0003
Percentile
0,1th
Updated
Single Data Point
Only one EPSS measurement is available for this CVE. Trend analysis requires multiple data points over time.
91
XML Injection (aka Blind XPath Injection)
DraftCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Availability
Potential Impacts:
Execute Unauthorized Code Or Commands
Read Application Data
Modify Application Data
Applicable Platforms
All platforms may be affected
https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA…
https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.6.0
https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA…