{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33036", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.210Z", "datePublished": "2026-03-20T05:17:03.290Z", "dateUpdated": "2026-03-25T13:57:58.233Z"}, "containers": {"cna": {"title": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)", "problemTypes": [{"descriptions": [{"cweId": "CWE-776", "lang": "en", "description": "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"}, {"name": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01", "tags": ["x_refsource_MISC"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"}, {"name": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6"}], "affected": [{"vendor": "NaturalIntelligence", "product": "fast-xml-parser", "versions": [{"version": ">= 4.0.0-beta.3, < 5.5.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:17:03.290Z"}, "descriptions": [{"lang": "en", "value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like &#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process\u2014even when developers have configured strict limits. This issue has been fixed in version 5.5.6."}], "source": {"advisory": "GHSA-8gc5-j5rx-235r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:57:14.886976Z", "id": "CVE-2026-33036", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:57:58.233Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33036", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:57:14.886976Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:57:44.654Z"}}], "cna": {"title": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)", "source": {"advisory": "GHSA-8gc5-j5rx-235r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "NaturalIntelligence", "product": "fast-xml-parser", "versions": [{"status": "affected", "version": ">= 4.0.0-beta.3, < 5.5.6"}]}], "references": [{"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r", "name": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01", "name": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6", "name": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like &#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process\u2014even when developers have configured strict limits. This issue has been fixed in version 5.5.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-776", "description": "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:17:03.290Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33036", "state": "PUBLISHED", "dateUpdated": "2026-03-25T13:57:58.233Z", "dateReserved": "2026-03-17T18:10:50.210Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T05:17:03.290Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB9177BC-BACD-4367-9063-398ACE2AB4A7", "versionEndExcluding": "5.5.6", "versionStartIncluding": "4.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "2398B145-2ED8-4197-8838-FAE7AD7666E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "44B6C4BE-69F4-4651-80EE-055D1F99F7EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "4B32E8C4-15A7-466D-98A7-9EDD6B45F883", "vulnerable": true}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "23CDA792-75FA-48A7-8577-4266A0BFB3A7", "vulnerable": true}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "D4B7FD7D-0059-4D5B-898D-539AB43AA24A", "vulnerable": true}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta7:*:*:*:*:*:*", "matchCriteriaId": "42844DDE-AD5B-4684-8104-1C2D133C6098", "vulnerable": true}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta8:*:*:*:*:*:*", "matchCriteriaId": "C045B7F2-16A9-47C9-B08D-71847A940B93", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like &#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process\u2014even when developers have configured strict limits. This issue has been fixed in version 5.5.6."}, {"lang": "es", "value": "fast-xml-parser permite a los usuarios procesar XML desde objetos JS sin bibliotecas basadas en C/C++ ni callbacks. Las versiones 4.0.0-beta.3 hasta la 5.5.5 contienen una vulnerabilidad de bypass donde las referencias de caracteres num\u00e9ricos (&amp;#NNN;, &amp;#xHH;) y las entidades XML est\u00e1ndar evaden completamente los l\u00edmites de expansi\u00f3n de entidades (p. ej., maxTotalExpansions, maxExpandedLength) a\u00f1adidos para corregir CVE-2026-26278, lo que permite la denegaci\u00f3n de servicio por expansi\u00f3n de entidades XML. La causa ra\u00edz es que replaceEntitiesValue() en OrderedObjParser.js solo aplica el conteo de expansi\u00f3n en entidades definidas en DOCTYPE, mientras que el bucle lastEntities que maneja las entidades num\u00e9ricas/est\u00e1ndar no realiza ning\u00fan conteo. Un atacante que suministre 1M de referencias de entidades num\u00e9ricas como A puede forzar una asignaci\u00f3n de memoria de ~147MB y un uso intensivo de CPU, lo que podr\u00eda bloquear el proceso, incluso cuando los desarrolladores han configurado l\u00edmites estrictos. Este problema ha sido corregido en la versi\u00f3n 5.5.6."}], "id": "CVE-2026-33036", "lastModified": "2026-03-23T16:28:10.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T06:16:11.630", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-776"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "fast-xml-parser: fast-xml-parser: Denial of Service via XML entity expansion bypass", "id": "2449458", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449458"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-776", "details": ["A flaw was found in fast-xml-parser. A remote attacker can exploit this vulnerability by supplying specially crafted XML input containing numeric character references or standard XML entities. This input can bypass configured entity expansion limits, leading to excessive memory allocation and high CPU usage. The primary consequence is a Denial of Service (DoS), which can crash the affected process."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33036", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Affected", "package_name": "mta/mta-ui-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/backstage-community-plugin-catalog-backend-module-scaffolder-relation-processor", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/mcg-core-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-client-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-multicluster-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel9", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/kubevirt-console-plugin", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/kubevirt-console-plugin-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite/iop-host-inventory-frontend-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite/iop-vulnerability-frontend-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Affected", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-03-20T05:17:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33036\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33036\nhttps://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01\nhttps://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6\nhttps://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0-beta.3,5.5.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fast-xml-parser", "source": "cna", "vendor": "NaturalIntelligence"}, "product": "fast-xml-parser", "vendor": "naturalintelligence"}], "analysis": {"en": {"generated_at": "2026-03-23T17:27:04.523666+00:00", "value": {"mitigation_remediation": ["Update fast\u2011xml\u2011parser to version 5.5.6 or later"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via XML entity expansion"}, "threat_synthesis": {"affected_systems": "The issue affects the NaturalIntelligence fast\u2011xml\u2011parser package versions from 4.0.0\u2011beta.3 up through 5.5.5. Applications that import or use this library to parse XML\u2014particularly those that do not have additional size checks\u2014are exposed. The vendor\u2019s repository and release notes indicate that the vulnerability was introduced in the 4.x line and remains until the 5.5.6 release. ", "description_and_impact": "A flaw in the fast-xml-parser library allows an attacker to embed large numbers of numeric character references, such as &#65;, in XML data. The parser mistakenly does not count these references against the configured expansion limits, thereby permitting the creation of hundreds of megabytes of memory allocation and consuming significant CPU cycles. The result is a resource exhaustion attack that can crash or slow down a Node.js application processing XML. The vulnerability is a classic instance of denial of service caused by unchecked data size and is classified under CWE\u2011776. ", "risk_and_exploitability": "The CVSS score is 7.5, indicating a high severity. However, the EPSS score of less than 1% suggests a low probability of exploitation in the near term, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote; an attacker can supply crafted XML to a vulnerable endpoint and trigger the memory and CPU blowup. Process crashes or severe slowdown on the target machine would be the primary outcomes if the application lacks additional safeguards. The advisory explicitly states the fix is available in v5.5.6, which fully enforces the expansion limits for numeric and standard entities."}}}}, "created": "2026-03-20T08:52:29.364289+00:00", "updated": "2026-03-25T14:30:25.269757+00:00", "vendors": ["naturalintelligence", "naturalintelligence$PRODUCT$fast-xml-parser"]}