Description

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.

INFO

Published Date :

2026-02-19T19:40:55.842Z

Last Modified :

2026-03-02T19:11:59.388Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-26278 vulnerability.

Vendors Products
Naturalintelligence
  • Fast-xml-parser
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26278.

URL Resource
https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77 cve-icon cve-icon cve-icon
https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6 cve-icon cve-icon cve-icon
https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-26278 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-26278 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact