fast-xml-parser XML Entity Expansion DoS 4.1.3-5.3.5
CVE-2026-26278 Published on February 19, 2026

fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, its possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.

Github Repository NVD

Vulnerability Analysis

CVE-2026-26278 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

What is a XEE Vulnerability?

The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.

CVE-2026-26278 has been classified to as a XEE vulnerability or weakness.


Products Associated with CVE-2026-26278

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

 
 
 
 
 
 
 
 

Affected Versions

NaturalIntelligence fast-xml-parser: Red Hat Advanced Cluster Security for Kubernetes 4.8: Red Hat Advanced Cluster Security for Kubernetes 4.9: Red Hat Developer Hub 1.8: Red Hat Developer Hub 1.9: Red Hat Migration Toolkit for Applications 8: Red Hat Openshift Data Foundation 4: Red Hat OpenShift GitOps: Red Hat OpenShift Virtualization 4: Red Hat Satellite 6: Red Hat Self-service automation portal 2:

Vulnerable Packages

The following package name and versions may be associated with CVE-2026-26278

Package Manager Vulnerable Package Versions Fixed In
npm fast-xml-parser >= 4.1.3, < 5.3.6 5.3.6
npm fast-xml-parser >= 4.0.0-beta.3, <= 5.5.5 5.5.6

Exploit Probability

EPSS
0.59%
Percentile
43.53%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.