Low severityNVD Advisory· Published Feb 26, 2026· Updated Feb 26, 2026
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder
CVE-2026-27942
Description
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with preserveOrder:true. Version 5.3.8 fixes the issue. As a workaround, use XML builder with preserveOrder:false or check the input data before passing to builder.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fast-xml-parsernpm | >= 5.0.0, < 5.3.8 | 5.3.8 |
fast-xml-parsernpm | >= 4.0.0-beta.0, < 4.5.4 | 4.5.4 |
Affected products
35- osv-coords34 versionspkg:apk/chainguard/dbgatepkg:apk/chainguard/dbgate-fipspkg:apk/chainguard/jitsucom-jitsu-consolepkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/prismpkg:apk/chainguard/renovatepkg:apk/chainguard/safpkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/wolfi/jitsucom-jitsu-consolepkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/opensearch-dashboards-3pkg:apk/wolfi/prismpkg:apk/wolfi/renovatepkg:apk/wolfi/safpkg:apk/wolfi/tileserver-glpkg:npm/fast-xml-parser
< 7.1.2-r1+ 33 more
- (no CPE)range: < 7.1.2-r1
- (no CPE)range: < 7.1.2-r0
- (no CPE)range: < 2.11.0-r16
- (no CPE)range: < 8.17.10-r11
- (no CPE)range: < 8.17.10-r11
- (no CPE)range: < 8.19.12-r3
- (no CPE)range: < 8.19.12-r3
- (no CPE)range: < 8.19.12-r3
- (no CPE)range: < 9.0.8-r11
- (no CPE)range: < 9.0.8-r11
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.2.6-r2
- (no CPE)range: < 9.2.6-r2
- (no CPE)range: < 9.3.1-r1
- (no CPE)range: < 9.3.1-r1
- (no CPE)range: < 2.16.0-r2
- (no CPE)range: < 2.95.12-r12
- (no CPE)range: < 0.8.2-r6
- (no CPE)range: < 3.5.0-r3
- (no CPE)range: < 3.5.0-r2
- (no CPE)range: < 5.14.3-r8
- (no CPE)range: < 43.48.3-r0
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 5.5.0-r6
- (no CPE)range: < 5.5.0-r7
- (no CPE)range: < 2.11.0-r16
- (no CPE)range: < 2.16.0-r2
- (no CPE)range: < 3.5.0-r3
- (no CPE)range: < 5.14.3-r8
- (no CPE)range: < 43.48.3-r0
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 5.5.0-r6
- (no CPE)range: >= 5.0.0, < 5.3.8
- Range: < 5.3.8
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-fj3w-jwp8-x2g3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27942ghsaADVISORY
- github.com/NaturalIntelligence/fast-xml-parser/commit/c13a961910f14986295dd28484eee830fa1a0e8aghsax_refsource_MISCWEB
- github.com/NaturalIntelligence/fast-xml-parser/pull/791ghsax_refsource_MISCWEB
- github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-fj3w-jwp8-x2g3ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.