fast-xml-parser <5.3.5: Entity Name wildcard XSS via DOCTYPE parsing
CVE-2026-25896 Published on February 20, 2026
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.
Vulnerability Analysis
CVE-2026-25896 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Types
Incorrect Regular Expression
The software specifies a regular expression in a way that causes data to be improperly matched or compared. When the regular expression is used in protection mechanisms such as filtering or validation, this may allow an attacker to bypass the intended restrictions on the incoming data.
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-25896 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-25896
Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.
Affected Versions
NaturalIntelligence fast-xml-parser:- Version >= 5.0.0, < 5.3.5 is affected.
- Version >= 4.1.3, < 4.5.4 is affected.
- Version 1775594119 and below * is unaffected.
- Version 1775594284 and below * is unaffected.
- Version 1774545605 and below * is unaffected.
- Version 1775140647 and below * is unaffected.
- Version 1783667125 and below * is unaffected.
- Version 1783666755 and below * is unaffected.
- Version 1784054598 and below * is unaffected.
- Version 1784055387 and below * is unaffected.
- Version 1784055726 and below * is unaffected.
- Version 1783667517 and below * is unaffected.
- Version 1783667577 and below * is unaffected.
- Version 1783667611 and below * is unaffected.
- Version 1784055020 and below * is unaffected.
- Version 1783667641 and below * is unaffected.
- Version 1784055586 and below * is unaffected.
- Version 1783667790 and below * is unaffected.
- Version 1783667859 and below * is unaffected.
- Version 1783667875 and below * is unaffected.
- Version 1783667869 and below * is unaffected.
- Version 1783667877 and below * is unaffected.
- Version 1784055576 and below * is unaffected.
- Version 1784055244 and below * is unaffected.
- Version 1784055382 and below * is unaffected.
- Version 1783668266 and below * is unaffected.
- Version 1783668288 and below * is unaffected.
- Version 1783669219 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.