CVE-2026-44665

Published: Mag 13, 2026 Last Modified: Mag 13, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,1

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: required

Scope: changed

Confidentiality: low

Integrity: low

Availability: none

Description

AI Translation Available

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.

XML Injection (aka Blind XPath Injection)

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability

Potential Impacts:

Execute Unauthorized Code Or Commands Read Application Data Modify Application Data

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/NaturalIntelligence/fast-xml-builder/sec…

https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHS…

CVE-2026-44665

Description

XML Injection (aka Blind XPath Injection)

Common Consequences

Applicable Platforms

Iscriviti alla newsletter