CVE-2026-41650— fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41650
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
Source: NVD (National Vulnerability Database)
Vulnerability Description
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
XML注入(XPath盲注)
Source: NVD (National Vulnerability Database)
Vulnerability Title
fast-xml-parser 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
fast-xml-parser是Natural Intelligence开源的一个库。用于在没有基于 C/C++ 的库和回调的情况下,快速验证 XML、解析 XML 和构建 XML。 fast-xml-parser 5.7.0之前版本存在安全漏洞,该漏洞源于XMLBuilder未转义注释内容中的-->序列或CDATA部分中的]]>序列,可能导致XML注入,进而引发跨站脚本、SOAP注入或数据篡改。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| NaturalIntelligence | fast-xml-parser | < 5.7.0 | - |
II. Public POCs for CVE-2026-41650
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41650
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: fast-xml-parser
- CVE-2026-33349
fast-xml-parser: Entity Expansion Limits Bypassed When Set t - CVE-2026-33036
fast-xml-parser affected by numeric entity expansion bypassi - CVE-2026-27942
fast-xml-parser has stack overflow in XMLBuilder with preser - CVE-2026-25896
fast-xml-parser has an entity encoding bypass via regex inje - CVE-2026-26278
fast-xml-parser affected by DoS through entity expansion in
Same vendor: NaturalIntelligence
- CVE-2026-33349
fast-xml-parser: Entity Expansion Limits Bypassed When Set t - CVE-2026-33036
fast-xml-parser affected by numeric entity expansion bypassi - CVE-2026-27942
fast-xml-parser has stack overflow in XMLBuilder with preser - CVE-2026-25896
fast-xml-parser has an entity encoding bypass via regex inje - CVE-2026-26278
fast-xml-parser affected by DoS through entity expansion in
Same weakness: CWE-91
- CVE-2026-41675
xmldom: XML node injection through unvalidated processing in - CVE-2026-41674
xmldom: XML injection through unvalidated DocumentType seria - CVE-2026-41672
xmldom: XML node injection through unvalidated comment seria - CVE-2026-27693
traccar allows XML injection in KML and GPX exports - CVE-2026-32870
Kirby has XML injection in its XML creator toolkit
V. Comments for CVE-2026-41650
No comments yet