Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/fast-xml-parser@5.3.5

Type npm

Namespace

Name fast-xml-parser

Version 5.3.5

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 5.7.0

Latest_non_vulnerable_version 5.7.0

Affected_by_vulnerabilities

url VCID-87wh-4hga-bbak

vulnerability_id VCID-87wh-4hga-bbak

summary

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26278.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26278.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-26278

reference_id

reference_type

scores

value	0.00032
scoring_system	epss
scoring_elements	0.09696
published_at	2026-06-12T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.09646
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-26278

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/NaturalIntelligence/fast-xml-parser

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2441120
reference_id	2441120
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2441120

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77

reference_id

910dae5be2de2955e968558fadf6e8f74f117a77

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-19T20:58:40Z/

url

https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-26278

reference_id

CVE-2026-26278

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-26278

reference_url

https://github.com/advisories/GHSA-jmr7-xgp7-cmfj

reference_id

GHSA-jmr7-xgp7-cmfj

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jmr7-xgp7-cmfj

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj

reference_id

GHSA-jmr7-xgp7-cmfj

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-19T20:58:40Z/

url

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj

reference_url	https://access.redhat.com/errata/RHSA-2026:6174
reference_id	RHSA-2026:6174
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6174

reference_url	https://access.redhat.com/errata/RHSA-2026:6802
reference_id	RHSA-2026:6802
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6802

reference_url	https://access.redhat.com/errata/RHSA-2026:7110
reference_id	RHSA-2026:7110
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7110

reference_url	https://access.redhat.com/errata/RHSA-2026:7128
reference_id	RHSA-2026:7128
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7128

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6

reference_id

v5.3.6

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-19T20:58:40Z/

url

https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6

fixed_packages

url pkg:npm/fast-xml-parser@5.3.6

purl pkg:npm/fast-xml-parser@5.3.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9n1q-kn2a-xfca

vulnerability	VCID-c46j-zfbx-eyc1

vulnerability	VCID-fbce-cxkc-3ube

vulnerability	VCID-z5yj-54hc-qyb9

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fast-xml-parser@5.3.6

aliases CVE-2026-26278, GHSA-jmr7-xgp7-cmfj

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-87wh-4hga-bbak

url VCID-9n1q-kn2a-xfca

vulnerability_id VCID-9n1q-kn2a-xfca

summary

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33036.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33036.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33036

reference_id

reference_type

scores

value	0.00027
scoring_system	epss
scoring_elements	0.08212
published_at	2026-06-11T12:55:00Z

value	0.00027
scoring_system	epss
scoring_elements	0.08247
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33036

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/NaturalIntelligence/fast-xml-parser

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v4.5.5

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v4.5.5

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33036

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33036

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2449458
reference_id	2449458
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2449458

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01

reference_id

bd26122c838e6a55e7d7ac49b4ccc01a49999a01

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:14Z/

url

https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01

reference_url

https://github.com/advisories/GHSA-8gc5-j5rx-235r

reference_id

GHSA-8gc5-j5rx-235r

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8gc5-j5rx-235r

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r

reference_id

GHSA-8gc5-j5rx-235r

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:14Z/

url

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r

reference_url	https://access.redhat.com/errata/RHSA-2026:12277
reference_id	RHSA-2026:12277
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:12277

reference_url	https://access.redhat.com/errata/RHSA-2026:12279
reference_id	RHSA-2026:12279
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:12279

reference_url	https://access.redhat.com/errata/RHSA-2026:17547
reference_id	RHSA-2026:17547
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17547

reference_url	https://access.redhat.com/errata/RHSA-2026:17549
reference_id	RHSA-2026:17549
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17549

reference_url	https://access.redhat.com/errata/RHSA-2026:17550
reference_id	RHSA-2026:17550
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17550

reference_url	https://access.redhat.com/errata/RHSA-2026:7110
reference_id	RHSA-2026:7110
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7110

reference_url	https://access.redhat.com/errata/RHSA-2026:7128
reference_id	RHSA-2026:7128
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7128

reference_url	https://access.redhat.com/errata/RHSA-2026:9742
reference_id	RHSA-2026:9742
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:9742

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6

reference_id

v5.5.6

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:14Z/

url

https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6

fixed_packages

url pkg:npm/fast-xml-parser@5.5.6

purl pkg:npm/fast-xml-parser@5.5.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-c46j-zfbx-eyc1

vulnerability	VCID-fbce-cxkc-3ube

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fast-xml-parser@5.5.6

aliases CVE-2026-33036, GHSA-8gc5-j5rx-235r

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9n1q-kn2a-xfca

url VCID-c46j-zfbx-eyc1

vulnerability_id VCID-c46j-zfbx-eyc1

summary fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33349.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33349.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33349

reference_id

reference_type

scores

value	0.00039
scoring_system	epss
scoring_elements	0.12094
published_at	2026-06-11T12:55:00Z

value	0.00039
scoring_system	epss
scoring_elements	0.12187
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33349

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/NaturalIntelligence/fast-xml-parser

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/commit/88d0936a23dabe51bfbf42255e2ce912dfee2221

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/NaturalIntelligence/fast-xml-parser/commit/88d0936a23dabe51bfbf42255e2ce912dfee2221

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33349

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33349

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7

reference_id

239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T14:00:54Z/

url

https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2450909
reference_id	2450909
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2450909

reference_url

https://github.com/advisories/GHSA-jp2q-39xq-3w4g

reference_id

GHSA-jp2q-39xq-3w4g

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jp2q-39xq-3w4g

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g

reference_id

GHSA-jp2q-39xq-3w4g

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T14:00:54Z/

url

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g

reference_url	https://access.redhat.com/errata/RHSA-2026:24841
reference_id	RHSA-2026:24841
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:24841

fixed_packages

url pkg:npm/fast-xml-parser@5.5.7

purl pkg:npm/fast-xml-parser@5.5.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-fbce-cxkc-3ube

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fast-xml-parser@5.5.7

aliases CVE-2026-33349, GHSA-jp2q-39xq-3w4g

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c46j-zfbx-eyc1

url VCID-fbce-cxkc-3ube

vulnerability_id VCID-fbce-cxkc-3ube

summary

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41650.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41650.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-41650

reference_id

reference_type

scores

value	0.00012
scoring_system	epss
scoring_elements	0.0195
published_at	2026-06-11T12:55:00Z

value	0.00012
scoring_system	epss
scoring_elements	0.01953
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-41650

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/NaturalIntelligence/fast-xml-parser

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-41650

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-41650

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2467758
reference_id	2467758
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2467758

reference_url

https://github.com/advisories/GHSA-gh4j-gqv2-49f6

reference_id

GHSA-gh4j-gqv2-49f6

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-gh4j-gqv2-49f6

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6

reference_id

GHSA-gh4j-gqv2-49f6

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T15:08:09Z/

url

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.6.0

reference_id

v5.6.0

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T15:08:09Z/

url

https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.6.0

fixed_packages

url	pkg:npm/fast-xml-parser@5.7.0
purl	pkg:npm/fast-xml-parser@5.7.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/fast-xml-parser@5.7.0

aliases CVE-2026-41650, GHSA-gh4j-gqv2-49f6

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fbce-cxkc-3ube

url VCID-z5yj-54hc-qyb9

vulnerability_id VCID-z5yj-54hc-qyb9

summary fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27942.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27942.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-27942

reference_id

reference_type

scores

value	0.00018
scoring_system	epss
scoring_elements	0.05046
published_at	2026-06-11T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.05049
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-27942

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/NaturalIntelligence/fast-xml-parser

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/commit/c13a961910f14986295dd28484eee830fa1a0e8a

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/NaturalIntelligence/fast-xml-parser/commit/c13a961910f14986295dd28484eee830fa1a0e8a

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/pull/791

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/NaturalIntelligence/fast-xml-parser/pull/791

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2442938
reference_id	2442938
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2442938

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-27942

reference_id

CVE-2026-27942

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-27942

reference_url

https://github.com/advisories/GHSA-fj3w-jwp8-x2g3

reference_id

GHSA-fj3w-jwp8-x2g3

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-fj3w-jwp8-x2g3

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-fj3w-jwp8-x2g3

reference_id

GHSA-fj3w-jwp8-x2g3

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-fj3w-jwp8-x2g3

reference_url	https://access.redhat.com/errata/RHSA-2026:12277
reference_id	RHSA-2026:12277
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:12277

reference_url	https://access.redhat.com/errata/RHSA-2026:6174
reference_id	RHSA-2026:6174
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6174

reference_url	https://access.redhat.com/errata/RHSA-2026:6802
reference_id	RHSA-2026:6802
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6802

reference_url	https://access.redhat.com/errata/RHSA-2026:7110
reference_id	RHSA-2026:7110
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7110

reference_url	https://access.redhat.com/errata/RHSA-2026:7128
reference_id	RHSA-2026:7128
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7128

fixed_packages

url pkg:npm/fast-xml-parser@5.3.8

purl pkg:npm/fast-xml-parser@5.3.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9n1q-kn2a-xfca

vulnerability	VCID-c46j-zfbx-eyc1

vulnerability	VCID-fbce-cxkc-3ube

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fast-xml-parser@5.3.8

aliases CVE-2026-27942, GHSA-fj3w-jwp8-x2g3

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z5yj-54hc-qyb9

Fixing_vulnerabilities

url VCID-8a1h-q8ck-cfbz

vulnerability_id VCID-8a1h-q8ck-cfbz

summary fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25896.json

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25896.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-25896

reference_id

reference_type

scores

value	0.0002
scoring_system	epss
scoring_elements	0.05761
published_at	2026-06-12T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05736
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-25896

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/NaturalIntelligence/fast-xml-parser

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2441501
reference_id	2441501
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2441501

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/commit/943ef0eb1b2d3284e72dd74f44a042ee9f07026e

reference_id

943ef0eb1b2d3284e72dd74f44a042ee9f07026e

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:26:46Z/

url

https://github.com/NaturalIntelligence/fast-xml-parser/commit/943ef0eb1b2d3284e72dd74f44a042ee9f07026e

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-25896

reference_id

CVE-2026-25896

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-25896

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/commit/ddcd0acf26ddd682cb0dc15a2bd6aa3b96bb1e69

reference_id

ddcd0acf26ddd682cb0dc15a2bd6aa3b96bb1e69

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:26:46Z/

url

https://github.com/NaturalIntelligence/fast-xml-parser/commit/ddcd0acf26ddd682cb0dc15a2bd6aa3b96bb1e69

reference_url

https://github.com/advisories/GHSA-m7jm-9gc2-mpf2

reference_id

GHSA-m7jm-9gc2-mpf2

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-m7jm-9gc2-mpf2

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-m7jm-9gc2-mpf2

reference_id

GHSA-m7jm-9gc2-mpf2

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:26:46Z/

url

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-m7jm-9gc2-mpf2

reference_url	https://access.redhat.com/errata/RHSA-2026:6174
reference_id	RHSA-2026:6174
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6174

reference_url	https://access.redhat.com/errata/RHSA-2026:6802
reference_id	RHSA-2026:6802
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6802

reference_url	https://access.redhat.com/errata/RHSA-2026:7110
reference_id	RHSA-2026:7110
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7110

reference_url	https://access.redhat.com/errata/RHSA-2026:7128
reference_id	RHSA-2026:7128
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7128

reference_url

https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.5

reference_id

v5.3.5

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:26:46Z/

url

https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.5

fixed_packages

url pkg:npm/fast-xml-parser@4.5.4

purl pkg:npm/fast-xml-parser@4.5.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9n1q-kn2a-xfca

vulnerability	VCID-c46j-zfbx-eyc1

vulnerability	VCID-fbce-cxkc-3ube

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fast-xml-parser@4.5.4

url pkg:npm/fast-xml-parser@5.3.5

purl pkg:npm/fast-xml-parser@5.3.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-87wh-4hga-bbak

vulnerability	VCID-9n1q-kn2a-xfca

vulnerability	VCID-c46j-zfbx-eyc1

vulnerability	VCID-fbce-cxkc-3ube

vulnerability	VCID-z5yj-54hc-qyb9

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fast-xml-parser@5.3.5

aliases CVE-2026-25896, GHSA-m7jm-9gc2-mpf2

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8a1h-q8ck-cfbz

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/fast-xml-parser@5.3.5

Package Instance