XML injection in fast-xml-parser - #VU126617
Published: April 20, 2026
Vulnerability identifier: #VU126617
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-91
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Natural Intelligence
Affected software:
fast-xml-parser
fast-xml-parser
Detailed vulnerability description
The vulnerability allows a remote attacker to inject XML content and manipulate generated XML documents.
The vulnerability exists due to improper neutralization of special elements in XMLBuilder when building XML comments or CDATA sections from user-controlled data. A remote attacker can supply crafted comment or CDATA content containing XML delimiters to inject XML content and manipulate generated XML documents.
User interaction is required to trigger browser-side script execution in affected XML, SVG, or HTML contexts.
Remediation
Install security update from vendor's website.