XML Injection Vulnerability in Fast-XML-Parser by Natural Intelligence
CVE-2026-41650

6.1MEDIUM

Key Information:

Vendor: Naturalintelligence
Status: Fast-xml-parser
Vendor: CVE Published:; 7 May 2026

🔔 Create Naturalintelligence Vulnerability Alert

What is CVE-2026-41650?

The fast-xml-parser library, utilized for processing XML from JavaScript objects, has a critical flaw prior to version 5.7.0 that fails to properly escape the '-->' sequence within comment content and the ']]>' sequence in CDATA sections. This oversight permits the injection of malicious XML content when user-controlled data is included in comments or CDATA elements. Consequently, this could lead to various attacks, including cross-site scripting (XSS), SOAP injection, or unauthorized data manipulation. Users should upgrade to version 5.7.0 or later to mitigate this vulnerability.

Affected Version(s)

fast-xml-parser < 5.7.0

References

https://github.com/NaturalIntelligence/fast-xml-parser/se...

x_refsource_CONFIRM

https://github.com/NaturalIntelligence/fast-xml-parser/re...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 21, 2026

CVE-2026-41650 Data

JSON