Description
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.
Published: 2026-05-07
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

XMLBuilder in fast-xml-parser does not escape certain delimiter sequences (e.g., the comment end marker '-->' and the CDATA end marker ']]>') when constructing XML from JavaScript objects. This missing sanitization creates an injection point that attackers can exploit with user‑controlled data to place arbitrary XML content. The impact includes cross‑site scripting, SOAP envelope alteration, and other forms of data manipulation, a classic example of XML Injection (CWE‑91).

Affected Systems

All deployments of NaturalIntelligence's fast‑xml‑parser prior to version 5.7.0 are affected. The vulnerability exists in the XMLBuilder module that builds XML from JavaScript objects. Any system that imports or uses fast‑xml‑parser before the patch may be compromised if it processes untrusted input.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity with potential for significant impact. The EPSS score is not available, so the likelihood of exploitation cannot be quantified precisely, but the vulnerability is not listed in the CISA KEV catalog. Attackers can inject malicious content by providing crafted input that reaches XMLBuilder. The required conditions are that the application builds XML from untrusted data; based on the description, it is inferred that no additional authentication or sandboxing is required, implying a relatively straightforward exploitation path.

Generated by OpenCVE AI on May 7, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fast‑xml‑parser to version 5.7.0 or later to restore proper escaping of comment and CDATA delimiters
  • Implement input validation that removes or escapes the --> and ]]> sequences from comment and CDATA contents before passing data to XMLBuilder
  • Restrict the source of data passed to XMLBuilder to trusted inputs wherever possible, such as whitelisting or sanitizing external data before parsing

Generated by OpenCVE AI on May 7, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gh4j-gqv2-49f6 fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
History

Thu, 07 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Naturalintelligence
Naturalintelligence fast-xml-parser
Vendors & Products Naturalintelligence
Naturalintelligence fast-xml-parser

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.
Title fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
Weaknesses CWE-91
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Naturalintelligence Fast-xml-parser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T15:08:36.208Z

Reserved: 2026-04-21T23:58:43.802Z

Link: CVE-2026-41650

cve-icon Vulnrichment

Updated: 2026-05-07T15:06:59.881Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T15:16:07.767

Modified: 2026-05-07T16:16:20.080

Link: CVE-2026-41650

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T16:45:33Z

Weaknesses