{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26278", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-12T17:10:53.414Z", "datePublished": "2026-02-19T19:40:55.842Z", "dateUpdated": "2026-03-02T19:11:59.388Z"}, "containers": {"cna": {"title": "fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)", "problemTypes": [{"descriptions": [{"cweId": "CWE-776", "lang": "en", "description": "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj"}, {"name": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77", "tags": ["x_refsource_MISC"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77"}, {"name": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6"}], "affected": [{"vendor": "NaturalIntelligence", "product": "fast-xml-parser", "versions": [{"version": ">= 5.0.0, < 5.3.6", "status": "affected"}, {"version": ">= 4.1.3, < 4.5.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-02T19:11:59.388Z"}, "descriptions": [{"lang": "en", "value": "fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it\u2019s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option."}], "source": {"advisory": "GHSA-jmr7-xgp7-cmfj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T20:58:40.378859Z", "id": "CVE-2026-26278", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:21:49.452Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26278", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T20:58:40.378859Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T20:58:41.932Z"}}], "cna": {"title": "fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)", "source": {"advisory": "GHSA-jmr7-xgp7-cmfj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "NaturalIntelligence", "product": "fast-xml-parser", "versions": [{"status": "affected", "version": ">= 5.0.0, < 5.3.6"}, {"status": "affected", "version": ">= 4.1.3, < 4.5.4"}]}], "references": [{"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj", "name": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77", "name": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6", "name": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it\u2019s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-776", "description": "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-02T19:11:59.388Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26278", "state": "PUBLISHED", "dateUpdated": "2026-03-02T19:11:59.388Z", "dateReserved": "2026-02-12T17:10:53.414Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T19:40:55.842Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*", "matchCriteriaId": "36BABE8E-2E99-48E8-8F1D-2B1CC69D5BB2", "versionEndExcluding": "5.3.6", "versionStartIncluding": "4.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it\u2019s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option."}], "id": "CVE-2026-26278", "lastModified": "2026-02-23T19:30:26.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-19T20:25:43.717", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-776"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion", "id": "2441120", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441120"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-776", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-26278", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Affected", "package_name": "mta/mta-ui-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/mcg-core-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-client-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-multicluster-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel9", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/kubevirt-console-plugin", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/kubevirt-console-plugin-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite/iop-host-inventory-frontend-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite/iop-vulnerability-frontend-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Affected", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-02-19T19:40:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26278\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26278\nhttps://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77\nhttps://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6\nhttps://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.1.3,5.3.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fast-xml-parser", "source": "cna", "vendor": "NaturalIntelligence"}, "product": "fast-xml-parser", "vendor": "naturalintelligence"}], "analysis": {"en": {"generated_at": "2026-04-16T16:47:50.097540+00:00", "value": {"mitigation_remediation": ["Upgrade fast\u2011xml\u2011parser to version 5.3.6 or newer.", "If an upgrade cannot be performed immediately, configure the parser to disable DOCTYPE processing by setting processEntities to false.", "Monitor the application for unusually long XML parse times and high resource consumption to detect potential abuse."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects NaturalIntelligence\u2019s fast\u2011xml\u2011parser library in releases 4.1.3 to 5.3.5. A fix was released in version 5.3.6, after which the unlimited expansion behavior was removed.", "description_and_impact": "In versions 4.1.3 through 5.3.5, the fast\u2011xml\u2011parser library processes XML without limiting entity expansion in a DOCTYPE declaration, allowing a crafted XML document to trigger repetitive entity expansions that consume CPU and memory and can cause the application to stall. This defect results in a denial of service and is categorized as a resource exhaustion flaw (CWE\u2011776).", "risk_and_exploitability": "With a CVSS score of 7.5 the vulnerability is of high severity, yet its EPSS score is below 1% and it is not listed in CISA\u2019s KEV catalog, indicating a low probability of exploitation in the wild. An attacker would need to supply XML input to a vulnerable application or API that parses XML, and the attack would consume system resources to render the service unavailable."}}}}, "created": "2026-02-20T09:54:10.641681+00:00", "updated": "2026-04-16T17:00:09.357192+00:00", "vendors": ["naturalintelligence", "naturalintelligence$PRODUCT$fast-xml-parser"]}