CVE-2026-32287 — Infinite loop in github.com/antchfx/xpath

Description

Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

How to fix CVE-2026-32287

To remediate CVE-2026-32287, upgrade the affected package to a fixed version below.

Debian/golang-github-antchfx-xpath—no fix listed
—upgrade to 1.3.6 or later
—upgrade to 1.3.6 or later

Is CVE-2026-32287 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0
from 0, < 1.3.6
from 0, < 1.3.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-32287
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-32287
PATCHgithub.com/antchfx/xpath
WEBgithub.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494
WEB