CVE-2026-25896
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
9.3
CRITICAL
CVSS 3.1
EPSS 0.02%
Description
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.
How to fix CVE-2026-25896
To remediate CVE-2026-25896, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 5.3.5 or later
Is CVE-2026-25896 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- >= 5.0.0, < 5.3.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N |