CVE-2026-26278
Modified Modified - Updated After Analysis

XML Entity Expansion Vulnerability in fast-xml-parser Causes Denial of Service

Vulnerability report for CVE-2026-26278, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-19

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-19
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-02-19
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
naturalintelligence fast-xml-parser From 4.1.3 (inc) to 5.3.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-776 The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade fast-xml-parser to version 5.3.6 or later, where the issue is fixed.

As a workaround, avoid using DOCTYPE parsing by setting the option `processEntities: false` in your XML parser configuration.

Executive Summary

The vulnerability exists in the fast-xml-parser library versions 4.1.3 through 5.3.5. It allows an attacker to force the XML parser to perform an unlimited amount of entity expansion. This means that with a very small XML input, the parser can be made to spend an excessive amount of time processing a single request, potentially freezing the application.

This happens because the parser does not properly limit entity expansion, leading to a denial of service condition. The issue is fixed in version 5.3.6, and a workaround is to disable DOCTYPE parsing by setting the option `processEntities: false`.

Impact Analysis

This vulnerability can impact you by causing a denial of service (DoS) condition. An attacker can send a specially crafted XML input that forces the parser to perform excessive entity expansions, causing the application to freeze or become unresponsive for seconds or even minutes.

This can lead to service outages, degraded performance, and potentially impact availability of your application or service that uses the fast-xml-parser library.

Compliance Impact

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26278. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart