CVE-2026-41650

Summary

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "–>" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.

Affected Software

VendorProductVersion RangeStatus
NaturalIntelligencefast-xml-parser< 5.7.0affected

Weaknesses

  • CWE-91: CWE-91: XML Injection (aka Blind XPath Injection)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References