XML Parser Vulnerability in Fast XML Parser by Natural Intelligence
CVE-2026-26278

7.5HIGH

Key Information:

Vendor

Naturalintelligence

Status
Fast-xml-parser
Vendor
CVE Published:
19 February 2026

What is CVE-2026-26278?

The fast-xml-parser, developed by Natural Intelligence, has a significant vulnerability that allows for unlimited entity expansion. This can enable attackers to exploit the XML parsing functionality, causing the application to become unresponsive for extended periods. Versions 4.1.3 through 5.3.5 are particularly affected, where even minimal XML input can lead to performance degradation. The issue has been addressed in version 5.3.6. Users are advised to disable DOCTYPE parsing as a workaround by setting the option processEntities: false to mitigate the risk.

Affected Version(s)

fast-xml-parser >= 5.0.0, < 5.3.6 < 5.0.0, 5.3.6

fast-xml-parser >= 4.1.3, < 4.5.4 < 4.1.3, 4.5.4

References

https://github.com/NaturalIntelligence/fast-xml-parser/se...
x_refsource_CONFIRM
https://github.com/NaturalIntelligence/fast-xml-parser/co...
x_refsource_MISC
https://github.com/NaturalIntelligence/fast-xml-parser/re...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.