fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.
References
| Link | Resource |
|---|---|
| https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77 | Patch |
| https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6 | Product Release Notes |
| https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj | Exploit Vendor Advisory |
Configurations
History
23 Feb 2026, 19:30
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Naturalintelligence
Naturalintelligence fast-xml-parser |
|
| CPE | cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:* | |
| References | () https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77 - Patch | |
| References | () https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6 - Product, Release Notes | |
| References | () https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj - Exploit, Vendor Advisory |
19 Feb 2026, 20:25
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-19 20:25
Updated : 2026-02-23 19:30
NVD link : CVE-2026-26278
Mitre link : CVE-2026-26278
CVE.ORG link : CVE-2026-26278
JSON object : View
Products Affected
naturalintelligence
- fast-xml-parser
CWE
CWE-776
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')