fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or...

6.1 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.

Basic Information

ID CVE-2026-44665

Source GitHub_M

Published May 13, 2026 at 15:24

Affected Product

Vendor NaturalIntelligence

Product fast-xml-builder

Version < 1.1.7

Affected Versions NaturalIntelligence fast-xml-builder < 1.1.7

CWE Classification

CWE-91

References

github.com /NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9

{
    "lastseen": "",
    "description": "fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.",
    "published": "2026-05-13T15:24:54.596Z",
    "modified": "2026-05-13T15:24:54.596Z",
    "type": "cve",
    "title": "fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes",
    "source": "GitHub_M",
    "references": "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9",
    "id": "CVE-2026-44665",
    "bulletinFamily": "",
    "cwe": [
        "CWE-91"
    ],
    "cvelist": null,
    "sourceData": "NaturalIntelligence fast-xml-builder < 1.1.7",
    "sourceHref": "",
    "cvss": {
        "score": 6.1,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "fast-xml-builder",
    "version": "< 1.1.7",
    "vendor": "NaturalIntelligence",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes_CVE-2026-44665