SB20260420118 - XML injection in fast-xml-parser



SB20260420118 - XML injection in fast-xml-parser

Published: April 20, 2026

Security Bulletin ID SB20260420118
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) XML injection (CVE-ID: CVE-2026-41650)

CWE-ID: CWE-91 - XML Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject XML content and manipulate generated XML documents.

The vulnerability exists due to improper neutralization of special elements in XMLBuilder when building XML comments or CDATA sections from user-controlled data. A remote attacker can supply crafted comment or CDATA content containing XML delimiters to inject XML content and manipulate generated XML documents.

User interaction is required to trigger browser-side script execution in affected XML, SVG, or HTML contexts.


Remediation

Install update from vendor's website.