CVE-2026-26278
Received Received - Intake
XML Entity Expansion Vulnerability in fast-xml-parser Causes Denial of Service

Publication date: 2026-02-19

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26278
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
naturalintelligence fast-xml-parser From 4.1.3 (inc) to 5.3.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-776 The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade fast-xml-parser to version 5.3.6 or later, where the issue is fixed.

As a workaround, avoid using DOCTYPE parsing by setting the option `processEntities: false` in your XML parser configuration.

Compliance Impact

I don't know

Detection Guidance

I don't know

Executive Summary

The vulnerability exists in the fast-xml-parser library versions 4.1.3 through 5.3.5. It allows an attacker to force the XML parser to perform an unlimited amount of entity expansion. This means that with a very small XML input, the parser can be made to spend an excessive amount of time processing a single request, potentially freezing the application.

This happens because the parser does not properly limit entity expansion, leading to a denial of service condition. The issue is fixed in version 5.3.6, and a workaround is to disable DOCTYPE parsing by setting the option `processEntities: false`.

Impact Analysis

This vulnerability can impact you by causing a denial of service (DoS) condition. An attacker can send a specially crafted XML input that forces the parser to perform excessive entity expansions, causing the application to freeze or become unresponsive for seconds or even minutes.

This can lead to service outages, degraded performance, and potentially impact availability of your application or service that uses the fast-xml-parser library.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26278. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart