SB20260420118 - XML injection in fast-xml-parser
Published: April 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) XML injection (CVE-ID: CVE-2026-41650)
CWE-ID: CWE-91 - XML Injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject XML content and manipulate generated XML documents.
The vulnerability exists due to improper neutralization of special elements in XMLBuilder when building XML comments or CDATA sections from user-controlled data. A remote attacker can supply crafted comment or CDATA content containing XML delimiters to inject XML content and manipulate generated XML documents.
User interaction is required to trigger browser-side script execution in affected XML, SVG, or HTML contexts.
Remediation
Install update from vendor's website.