VulnerableCode Package Details - pkg:npm/fast-xml-parser@4.0.0-beta.6

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/fast-xml-parser@4.0.0-beta.6

Essentials
History (5)

purl	pkg:npm/fast-xml-parser@4.0.0-beta.6

Next non-vulnerable version	5.7.0
Latest non-vulnerable version	5.7.0
Risk	4.0

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-9n1q-kn2a-xfca Aliases: CVE-2026-33036 GHSA-8gc5-j5rx-235r		4.5.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.5.6 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-c46j-zfbx-eyc1 Aliases: CVE-2026-33349 GHSA-jp2q-39xq-3w4g	fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.	4.5.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.5.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-fbce-cxkc-3ube Aliases: CVE-2026-41650 GHSA-gh4j-gqv2-49f6		5.7.0 Affected by 0 other vulnerabilities.
VCID-vdk4-7yzd-yyau Aliases: CVE-2023-26920 GHSA-x3cc-x39p-42qx	fast-xml-parser before 4.1.2 allows __proto__ for Prototype Pollution.	4.1.2 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-z5yj-54hc-qyb9 Aliases: CVE-2026-27942 GHSA-fj3w-jwp8-x2g3	fast-xml-parser has stack overflow in XMLBuilder with preserveOrder	4.5.4 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.3.8 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:12:02.168786+00:00	GitLab Importer	Affected by	VCID-fbce-cxkc-3ube	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fast-xml-parser/CVE-2026-41650.yml	38.6.0
2026-06-12T21:33:18.212374+00:00	GitLab Importer	Affected by	VCID-c46j-zfbx-eyc1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fast-xml-parser/CVE-2026-33349.yml	38.6.0
2026-06-12T21:30:53.597784+00:00	GitLab Importer	Affected by	VCID-9n1q-kn2a-xfca	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fast-xml-parser/CVE-2026-33036.yml	38.6.0
2026-06-12T21:10:47.586216+00:00	GitLab Importer	Affected by	VCID-z5yj-54hc-qyb9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fast-xml-parser/CVE-2026-27942.yml	38.6.0
2026-06-12T18:57:03.236902+00:00	GitLab Importer	Affected by	VCID-vdk4-7yzd-yyau	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fast-xml-parser/CVE-2023-26920.yml	38.6.0