Description
fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content. This vulnerability is fixed in 1.1.6.
Published: 2026-05-13
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

fast-xml-builder constructs XML from JSON. In version 1.1.5 a prior fix for CVE-2026-41650 replaced double dashes in comment content with a space pattern, but it failed to handle sequences of three consecutive dashes. This loophole allows an attacker to inject arbitrary XML or HTML by breaking out of an XML comment and inserting content, potentially enabling cross‑site scripting or XML injection.

Affected Systems

The affected product is NaturalIntelligence fast‑xml‑builder version 1.1.5. The vulnerability is fixed in version 1.1.6. No other versions are listed as affected.

Risk and Exploitability

The CVSS score is 6.1, indicating a medium severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. An attacker can exploit the flaw by supplying JSON that contains an XML comment with triple dashes, a condition that does not require authentication. Successful exploitation can enable injection of XML or HTML content, which may lead to cross‑site scripting or improper data handling. The attack vector is inferred to be data input that goes through fast‑xml‑builder, likely from an untrusted source.

Generated by OpenCVE AI on May 13, 2026 at 18:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fast-xml-builder to version 1.1.6 or later.
  • Validate or sanitize JSON input so that any XML comment content does not contain the substring '---' before it is processed by the builder. Replacing '---' with a safe placeholder or removing such content prevents the comment from terminating prematurely.
  • If the application does not require XML comments, configure it to exclude comments from the generated XML, thereby removing the vulnerability surface.

Generated by OpenCVE AI on May 13, 2026 at 18:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-45c6-75p6-83cc fast-xml-builder Comment Value regex can be bypassed
History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Naturalintelligence
Naturalintelligence fast-xml-builder
Vendors & Products Naturalintelligence
Naturalintelligence fast-xml-builder

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content. This vulnerability is fixed in 1.1.6.
Title fast-xml-builder: Comment Value bypass regex
Weaknesses CWE-91
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Naturalintelligence Fast-xml-builder
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T16:46:25.862Z

Reserved: 2026-05-07T16:20:08.659Z

Link: CVE-2026-44664

cve-icon Vulnrichment

Updated: 2026-05-13T16:44:29.798Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T16:16:58.937

Modified: 2026-05-13T16:58:09.717

Link: CVE-2026-44664

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:13Z

Weaknesses