pkg:npm/fast-xml-parser

All known vulnerabilities

• CRITICAL9.3CVE-2026-25896fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
  >= 5.0.0, < 5.3.5
• HIGH7.5CVE-2026-33036fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
  >= 5.0.0, < 5.5.6
• HIGH7.5CVE-2026-27942fast-xml-parser has stack overflow in XMLBuilder with preserveOrder
  >= 5.0.0, < 5.3.8
• HIGH7.5fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)
  >= 4.1.3, < 4.5.4
• HIGH7.5fast-xml-parser has RangeError DoS Numeric Entities Bug
  >= 5.0.9, < 5.3.4
• HIGH7.5fast-xml-parser vulnerable to ReDOS at currency parsing
  >= 4.3.5, < 4.4.1
• HIGH7.5fast-xml-parser vulnerable to Regex Injection via Doctype Entities
  >= 4.1.3, < 4.2.4
• MEDIUM6.5fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name
  from 0, < 4.1.2
• MEDIUM6.1fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
  from 0, < 5.7.0
• MEDIUM5.9Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser
  >= 4.0.0-beta.3, < 4.5.5