Libexpatproject Libexpat
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Libexpatproject Libexpat.
By the Year
In 2026 there have been 18 vulnerabilities in Libexpatproject Libexpat with an average score of 6.2 out of ten. Last year, in 2025 Libexpat had 2 security vulnerabilities published. That is, 16 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.03.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 18 | 6.23 |
| 2025 | 2 | 5.20 |
| 2024 | 6 | 7.48 |
| 2023 | 0 | 0.00 |
| 2022 | 17 | 8.75 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 2 | 7.50 |
It may take a day or so for new Libexpat vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Libexpatproject Libexpat Security Vulnerabilities
libexpat <=2.8.2 Use-After-Free via XML_TOK_DATA_CHARS in doCdataSection
CVE-2026-56412
4.9 - Medium
- June 21, 2026
libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219.
Dangling pointer
Integer Overflow in libexpat <2.8.2 via endDoctypeDecl (NOTATION)
CVE-2026-56411
6.9 - Medium
- June 21, 2026
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
Integer Overflow or Wraparound
Integer Overflow in libexpat (<2.8.2) ResolveSystemID
CVE-2026-56410
6.9 - Medium
- June 21, 2026
xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.
Integer Overflow or Wraparound
Integer overflow in libexpat 2.8.2 XMLWF -d outputDir
CVE-2026-56409
6.5 - Medium
- June 21, 2026
xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.
Integer Overflow or Wraparound
libexpat before 2.8.2 integer overflow in copyString
CVE-2026-56408
6.9 - Medium
- June 21, 2026
libexpat before 2.8.2 has an integer overflow in copyString.
Integer Overflow or Wraparound
libexpat 2.8.1 int overflow in doProlog
CVE-2026-56407
6.9 - Medium
- June 21, 2026
libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.
Integer Overflow or Wraparound
INT OVERFLOW in libexpat <2.8.2 XML_ParseBuffer (2.8.2+ fixed)
CVE-2026-56406
6.9 - Medium
- June 21, 2026
libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.
Integer Overflow or Wraparound
Integer Overflow in libexpat getAttributeId (v < 2.8.2)
CVE-2026-56405
6.9 - Medium
- June 21, 2026
libexpat before 2.8.2 has an integer overflow in getAttributeId.
Integer Overflow or Wraparound
libexpat <2.8.2 Integer Overflow in addBinding
CVE-2026-56404
6.9 - Medium
- June 21, 2026
libexpat before 2.8.2 has an integer overflow in addBinding.
Integer Overflow or Wraparound
Libexpat <2.8.2: Integer Overflow in storeAtts
CVE-2026-56403
6.9 - Medium
- June 21, 2026
libexpat before 2.8.2 has an integer overflow in storeAtts.
Integer Overflow or Wraparound
Heap-based Buffer Overflow in libexpat < 2.8.2 (xmlparse.c)
CVE-2026-56132
6.9 - Medium
- June 19, 2026
In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.
Incorrect Synchronization
libexpat Use-After-Free via XML_ResumeParser before v2.8.2
CVE-2026-56131
4.9 - Medium
- June 19, 2026
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation).
Dangling pointer
Use-After-Free in libexpat <2.8.2 (XML handler recursion)
CVE-2026-50219
4.9 - Medium
- June 04, 2026
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,
Dangling pointer
Denial of Service via Attribute Name Collision in libexpat < 2.8.1
CVE-2026-45186
7.5 - High
- May 10, 2026
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.
Inefficient Algorithmic Complexity
libexpat <2.7.6 Hash Flooding via Crafted XML (Entropy Issue)
CVE-2026-41080
7.5 - High
- April 16, 2026
libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
Insufficient Entropy
NULL Pointer Deref in libexpat <2.7.5
CVE-2026-32776
4 - Medium
- March 16, 2026
libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.
NULL Pointer Dereference
Expat libexpat <2.7.4 Integer Overflow in doContent
CVE-2026-25210
6.9 - Medium
- January 30, 2026
In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.
Integer Overflow or Wraparound
libexpat <2.7.4: XML_ExternalEntityParser Unknown Enc Handler Data Copy Issue
CVE-2026-24515
2.9 - Low
- January 23, 2026
In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.
NULL Pointer Dereference
Denial of Service via Oversized XML in libexpat <= 2.7.3 (CVE-2025-66382)
CVE-2025-66382
2.9 - Low
- November 28, 2025
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.
Inefficient Algorithmic Complexity
Large Allocations in Expat <2.7.2 via Small XML (DoS)
CVE-2025-59375
7.5 - High
- September 15, 2025
libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.
Allocation of Resources Without Limits or Throttling
libexpat Negative XML_ParseBuffer Length Bypass Before 2.6.3
CVE-2024-45490
9.8 - Critical
- August 30, 2024
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
Integer Overflow or Wraparound
Integer Overflow in libexpat dtdCopy (v<2.6.3) on 32-bit
CVE-2024-45491
7.3 - High
- August 30, 2024
An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
Integer Overflow or Wraparound
libexpat int-overflow on 32-bit (before 2.6.3)
CVE-2024-45492
7.3 - High
- August 30, 2024
An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
Integer Overflow or Wraparound
XML Entity Expansion in libexpat <2.6.1 via XML_ExternalEntityParserCreate
CVE-2024-28757
7.5 - High
- March 10, 2024
libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).
XEE
libexpat <=2.5.0 DoS via large token causing excessive reparsings
CVE-2023-52425
7.5 - High
- February 04, 2024
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
Resource Exhaustion
Rec XML Entity Expansion in libexpat 2.5.0 (CVE-2023-52426)
CVE-2023-52426
5.5 - Medium
- February 04, 2024
libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.
XEE
Use-After-Free in libexpat <= 2.4.9 via XML_ExternalEntityParserCreate
CVE-2022-43680
7.5 - High
- October 24, 2022
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
Dangling pointer
libexpat <2.4.9 UAF in xmlparse.c
CVE-2022-40674
8.1 - High
- September 14, 2022
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
Dangling pointer
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model
CVE-2022-25313
6.5 - Medium
- February 18, 2022
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
Stack Exhaustion
In Expat (aka libexpat) before 2.4.5
CVE-2022-25314
7.5 - High
- February 18, 2022
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
Integer Overflow or Wraparound
In Expat (aka libexpat) before 2.4.5
CVE-2022-25315
9.8 - Critical
- February 18, 2022
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
Integer Overflow or Wraparound
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding
CVE-2022-25235
9.8 - Critical
- February 16, 2022
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
Output Sanitization
xmlparse.c in Expat (aka libexpat) before 2.4.5
CVE-2022-25236
9.8 - Critical
- February 16, 2022
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
Exposure of Resource to Wrong Sphere
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
CVE-2022-23990
7.5 - High
- January 26, 2022
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
Integer Overflow or Wraparound
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer
CVE-2022-23852
9.8 - Critical
- January 24, 2022
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
Integer Overflow or Wraparound
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22824
9.8 - Critical
- January 10, 2022
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Integer Overflow or Wraparound
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22823
9.8 - Critical
- January 10, 2022
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Integer Overflow or Wraparound
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22822
9.8 - Critical
- January 10, 2022
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Integer Overflow or Wraparound
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22826
8.8 - High
- January 10, 2022
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Integer Overflow or Wraparound
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22825
8.8 - High
- January 10, 2022
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Integer Overflow or Wraparound
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22827
8.8 - High
- January 10, 2022
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Integer Overflow or Wraparound
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3
CVE-2021-46143
7.8 - High
- January 06, 2022
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
Integer Overflow or Wraparound
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c
CVE-2021-45960
8.8 - High
- January 01, 2022
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
Incorrect Calculation
In libexpat before 2.2.8, crafted XML input could fool the parser into changing
CVE-2019-15903
7.5 - High
- September 04, 2019
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
Out-of-bounds Read
In libexpat in Expat before 2.2.7, XML input including XML names
CVE-2018-20843
7.5 - High
- June 24, 2019
In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).
XXE
XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library)
CVE-2017-9233
- July 25, 2017
XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.
The overflow protection in Expat is removed by compilers with certain optimization settings, which
CVE-2016-4472
- June 30, 2016
The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.
The XML parser in Expat does not use sufficient entropy for hash initialization, which
CVE-2016-5300
7.5 - High
- June 16, 2016
The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.
Resource Management Errors
Expat, when used in a parser
CVE-2012-6702
- June 16, 2016
Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.
Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code
CVE-2016-0718
9.8 - Critical
- May 26, 2016
Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
Buffer Overflow
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Libexpatproject Libexpat or by Libexpatproject? Click the Watch button to subscribe.