CVE-2026-44664

Summary

fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes – sequences in XML comment content using .replace(/–/g, '- -'). This skip the values containing three consecutive dashes (e.g., —>…), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content. This vulnerability is fixed in 1.1.6.

Affected Software

VendorProductVersion RangeStatus
NaturalIntelligencefast-xml-builder1.1.5affected

Weaknesses

  • CWE-91: CWE-91: XML Injection (aka Blind XPath Injection)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References