CVE 9.3 CRITICAL

fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names_CVE-2026-25896

February 20, 2026 invoker category_cve
9.3 / 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

Description

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", &apos;) with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

AI Analysis

Entity encoding bypass via regex injection in DOCTYPE entity names, leading to XSS when parsed output is rendered

Basic Information

ID CVE-2026-25896
Source GitHub_M
Published Feb 20, 2026 at 20:57

Affected Product

Vendor NaturalIntelligence
Product fast-xml-parser
Version >= 4.1.3, < 5.3.5
Affected Versions NaturalIntelligence fast-xml-parser >= 4.1.3, < 5.3.5

CWE Classification

CWE-185

AI Assessment

AI Score 9.3 / 10
AI Severity Critical
Vendor NaturalIntelligence
Product fast-xml-parser
Version 4.1.3 to 5.3.5

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.