Description
fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.
Published: 2026-05-13
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fast‑xml‑builder builds XML from JSON. Prior to version 1.1.7, if a JSON attribute value contains quotation marks and the builder is run with entity processing disabled, the value is broken into several attributes. An attacker can then insert arbitrary attributes into the resulting XML/HTML. This allows the insertion of malicious or unwanted attributes, potentially enabling cross‑site scripting, data tampering, or other forms of content injection depending on how the output is used.

Affected Systems

NaturalIntelligence’s Fast‑xml‑builder library is affected in all releases prior to 1.1.7. Any project that incorporates an older version of this library and processes JSON containing quoted attribute values without entity processing is vulnerable. The vulnerability is fixed in version 1.1.7 and later.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit this flaw by supplying crafted JSON input containing quotes in attribute values to a system that uses fast‑xml‑builder with entity processing turned off. If the generated XML or HTML is rendered in a browser or used in further processing, the injected attributes could lead to code execution or data tampering. Mitigation is best achieved by applying the vendor‑provided patch or by sanitizing input.

Generated by OpenCVE AI on May 13, 2026 at 17:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fast‑xml‑builder to version 1.1.7 or later, which contains the fix.
  • Sanitize JSON attribute values by removing or escaping quotation marks before passing them to fast‑xml‑builder, thereby preventing unintended attribute injection.
  • Review and adjust the entity processing setting or enforce strict attribute value validation to minimize the risk of attribute splitting.

Generated by OpenCVE AI on May 13, 2026 at 17:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5wm8-gmm8-39j9 fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes
History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Naturalintelligence
Naturalintelligence fast-xml-builder
Vendors & Products Naturalintelligence
Naturalintelligence fast-xml-builder

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.
Title fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes
Weaknesses CWE-91
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Naturalintelligence Fast-xml-builder
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T15:24:54.596Z

Reserved: 2026-05-07T16:20:08.659Z

Link: CVE-2026-44665

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-13T16:16:59.093

Modified: 2026-05-13T16:53:33.310

Link: CVE-2026-44665

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:15Z

Weaknesses