High severity7.5NVD Advisory· Published Mar 26, 2026· Updated Apr 21, 2026
CVE-2026-32287
CVE-2026-32287
Description
Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/antchfx/xpathGo | < 1.3.6 | 1.3.6 |
Affected products
175- osv-coords174 versionspkg:apk/chainguard/amazon-cloudwatch-agentpkg:apk/chainguard/amazon-cloudwatch-agent-fipspkg:apk/chainguard/aws-otel-collectorpkg:apk/chainguard/aws-otel-collector-fipspkg:apk/chainguard/crossplane-provider-aws-acmpkg:apk/chainguard/crossplane-provider-aws-acm-fipspkg:apk/chainguard/crossplane-provider-aws-backuppkg:apk/chainguard/crossplane-provider-aws-backup-fipspkg:apk/chainguard/crossplane-provider-aws-cloudformationpkg:apk/chainguard/crossplane-provider-aws-cloudformation-fipspkg:apk/chainguard/crossplane-provider-aws-cloudfrontpkg:apk/chainguard/crossplane-provider-aws-cloudfront-fipspkg:apk/chainguard/crossplane-provider-aws-cloudwatchlogspkg:apk/chainguard/crossplane-provider-aws-cloudwatchlogs-fipspkg:apk/chainguard/crossplane-provider-aws-cognitoidentitypkg:apk/chainguard/crossplane-provider-aws-cognitoidentity-fipspkg:apk/chainguard/crossplane-provider-aws-cognitoidppkg:apk/chainguard/crossplane-provider-aws-cognitoidp-fipspkg:apk/chainguard/crossplane-provider-aws-dynamodbpkg:apk/chainguard/crossplane-provider-aws-dynamodb-fipspkg:apk/chainguard/crossplane-provider-aws-ec2pkg:apk/chainguard/crossplane-provider-aws-ec2-fipspkg:apk/chainguard/crossplane-provider-aws-ecrpkg:apk/chainguard/crossplane-provider-aws-ecr-fipspkg:apk/chainguard/crossplane-provider-aws-ecspkg:apk/chainguard/crossplane-provider-aws-ecs-fipspkg:apk/chainguard/crossplane-provider-aws-efspkg:apk/chainguard/crossplane-provider-aws-efs-fipspkg:apk/chainguard/crossplane-provider-aws-ekspkg:apk/chainguard/crossplane-provider-aws-eks-fipspkg:apk/chainguard/crossplane-provider-aws-elasticachepkg:apk/chainguard/crossplane-provider-aws-elasticache-fipspkg:apk/chainguard/crossplane-provider-aws-elbv2pkg:apk/chainguard/crossplane-provider-aws-elbv2-fipspkg:apk/chainguard/crossplane-provider-aws-firehosepkg:apk/chainguard/crossplane-provider-aws-firehose-fipspkg:apk/chainguard/crossplane-provider-aws-iampkg:apk/chainguard/crossplane-provider-aws-iam-fipspkg:apk/chainguard/crossplane-provider-aws-kinesispkg:apk/chainguard/crossplane-provider-aws-kinesis-fipspkg:apk/chainguard/crossplane-provider-aws-kmspkg:apk/chainguard/crossplane-provider-aws-kms-fipspkg:apk/chainguard/crossplane-provider-aws-lambdapkg:apk/chainguard/crossplane-provider-aws-lambda-fipspkg:apk/chainguard/crossplane-provider-aws-memorydbpkg:apk/chainguard/crossplane-provider-aws-memorydb-fipspkg:apk/chainguard/crossplane-provider-aws-rdspkg:apk/chainguard/crossplane-provider-aws-rds-fipspkg:apk/chainguard/crossplane-provider-aws-rolesanywherepkg:apk/chainguard/crossplane-provider-aws-rolesanywhere-fipspkg:apk/chainguard/crossplane-provider-aws-route53pkg:apk/chainguard/crossplane-provider-aws-route53-fipspkg:apk/chainguard/crossplane-provider-aws-s3pkg:apk/chainguard/crossplane-provider-aws-s3-fipspkg:apk/chainguard/crossplane-provider-aws-servicediscoverypkg:apk/chainguard/crossplane-provider-aws-servicediscovery-fipspkg:apk/chainguard/crossplane-provider-aws-snspkg:apk/chainguard/crossplane-provider-aws-sns-fipspkg:apk/chainguard/crossplane-provider-aws-sqspkg:apk/chainguard/crossplane-provider-aws-sqs-fipspkg:apk/chainguard/crossplane-provider-aws-ssmpkg:apk/chainguard/crossplane-provider-aws-ssm-fipspkg:apk/chainguard/crossplane-provider-aws-wafv2pkg:apk/chainguard/crossplane-provider-aws-wafv2-fipspkg:apk/chainguard/crossplane-provider-azure-authorizationpkg:apk/chainguard/crossplane-provider-azure-managedidentitypkg:apk/chainguard/crossplane-provider-azure-sqlpkg:apk/chainguard/crossplane-provider-azure-storagepkg:apk/chainguard/crossplane-provider-family-awspkg:apk/chainguard/crossplane-provider-family-aws-fipspkg:apk/chainguard/crossplane-provider-family-azurepkg:apk/chainguard/crossplane-provider-family-gcppkg:apk/chainguard/crossplane-provider-family-gcp-fipspkg:apk/chainguard/crossplane-provider-gcp-cloudplatformpkg:apk/chainguard/crossplane-provider-gcp-cloudplatform-fipspkg:apk/chainguard/crossplane-provider-gcp-computepkg:apk/chainguard/crossplane-provider-gcp-compute-fipspkg:apk/chainguard/crossplane-provider-gcp-containerpkg:apk/chainguard/crossplane-provider-gcp-container-fipspkg:apk/chainguard/crossplane-provider-gcp-dnspkg:apk/chainguard/crossplane-provider-gcp-dns-fipspkg:apk/chainguard/crossplane-provider-gcp-kmspkg:apk/chainguard/crossplane-provider-gcp-kms-fipspkg:apk/chainguard/crossplane-provider-gcp-pubsubpkg:apk/chainguard/crossplane-provider-gcp-pubsub-fipspkg:apk/chainguard/crossplane-provider-gcp-storagepkg:apk/chainguard/crossplane-provider-gcp-storage-fipspkg:apk/chainguard/crossplane-provider-keycloakpkg:apk/chainguard/crossplane-provider-keycloak-fipspkg:apk/chainguard/datadog-agent-7.71-fullpkg:apk/chainguard/datadog-agent-7.72-fullpkg:apk/chainguard/datadog-agent-7.73-fullpkg:apk/chainguard/datadog-agent-7.74-fullpkg:apk/chainguard/datadog-agent-7.76-fullpkg:apk/chainguard/datadog-agent-7.77-fullpkg:apk/chainguard/datadog-agent-fips-7.71-fullpkg:apk/chainguard/datadog-agent-fips-7.72-fullpkg:apk/chainguard/datadog-agent-fips-7.73-fullpkg:apk/chainguard/datadog-agent-fips-7.76-fullpkg:apk/chainguard/datadog-agent-fips-7.77-fullpkg:apk/chainguard/elastic-agent-8.17pkg:apk/chainguard/elastic-agent-8.19pkg:apk/chainguard/elastic-agent-9.0pkg:apk/chainguard/elastic-agent-9.1pkg:apk/chainguard/elastic-agent-9.2pkg:apk/chainguard/elastic-agent-fips-8.17pkg:apk/chainguard/elastic-agent-fips-8.19pkg:apk/chainguard/elastic-agent-fips-9.0pkg:apk/chainguard/elastic-agent-fips-9.1pkg:apk/chainguard/elastic-agent-fips-9.2pkg:apk/chainguard/elastic-otel-collector-9.3pkg:apk/chainguard/elastic-otel-collector-fips-9.3pkg:apk/chainguard/grafana-alloypkg:apk/chainguard/grafana-alloy-fipspkg:apk/chainguard/nrdot-collector-k8spkg:apk/chainguard/nrdot-collector-k8s-fipspkg:apk/chainguard/nucleipkg:apk/chainguard/telegraf-1.37pkg:apk/chainguard/tempo-2.10pkg:apk/chainguard/tempo-2.10-clipkg:apk/chainguard/tempo-2.10-vulturepkg:apk/chainguard/tempo-2.8pkg:apk/chainguard/tempo-2.8-clipkg:apk/chainguard/tempo-2.9pkg:apk/chainguard/tempo-2.9-clipkg:apk/chainguard/tempo-fips-2.10pkg:apk/chainguard/tempo-fips-2.10-clipkg:apk/chainguard/tempo-fips-2.10-vulturepkg:apk/chainguard/tempo-fips-2.8pkg:apk/chainguard/tempo-fips-2.8-clipkg:apk/chainguard/tempo-fips-2.9pkg:apk/chainguard/tempo-fips-2.9-clipkg:apk/chainguard/wavefront-collector-for-kubernetes-1.12pkg:apk/chainguard/wavefront-collector-for-kubernetes-1.13pkg:apk/wolfi/amazon-cloudwatch-agentpkg:apk/wolfi/aws-otel-collectorpkg:apk/wolfi/crossplane-provider-aws-cloudformationpkg:apk/wolfi/crossplane-provider-aws-cloudfrontpkg:apk/wolfi/crossplane-provider-aws-cloudwatchlogspkg:apk/wolfi/crossplane-provider-aws-dynamodbpkg:apk/wolfi/crossplane-provider-aws-ec2pkg:apk/wolfi/crossplane-provider-aws-ekspkg:apk/wolfi/crossplane-provider-aws-elasticachepkg:apk/wolfi/crossplane-provider-aws-firehosepkg:apk/wolfi/crossplane-provider-aws-iampkg:apk/wolfi/crossplane-provider-aws-kinesispkg:apk/wolfi/crossplane-provider-aws-kmspkg:apk/wolfi/crossplane-provider-aws-lambdapkg:apk/wolfi/crossplane-provider-aws-memorydbpkg:apk/wolfi/crossplane-provider-aws-rdspkg:apk/wolfi/crossplane-provider-aws-route53pkg:apk/wolfi/crossplane-provider-aws-s3pkg:apk/wolfi/crossplane-provider-aws-snspkg:apk/wolfi/crossplane-provider-aws-sqspkg:apk/wolfi/crossplane-provider-azure-authorizationpkg:apk/wolfi/crossplane-provider-azure-managedidentitypkg:apk/wolfi/crossplane-provider-azure-sqlpkg:apk/wolfi/crossplane-provider-azure-storagepkg:apk/wolfi/crossplane-provider-family-awspkg:apk/wolfi/crossplane-provider-family-azurepkg:apk/wolfi/crossplane-provider-gcp-pubsubpkg:apk/wolfi/crossplane-provider-gcp-storagepkg:apk/wolfi/crossplane-provider-keycloakpkg:apk/wolfi/datadog-agent-7.72-fullpkg:apk/wolfi/datadog-agent-7.73-fullpkg:apk/wolfi/datadog-agent-7.77-fullpkg:apk/wolfi/grafana-alloypkg:apk/wolfi/nucleipkg:apk/wolfi/telegraf-1.37pkg:apk/wolfi/tempo-2.10pkg:apk/wolfi/tempo-2.10-clipkg:apk/wolfi/tempo-2.10-vulturepkg:golang/github.com/antchfx/xpathpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.300066.0-r1+ 173 more
- (no CPE)range: < 1.300066.0-r1
- (no CPE)range: < 1.300066.0-r1
- (no CPE)range: < 0.47.0-r10
- (no CPE)range: < 0.47.0-r6
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r2
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.4.0-r2
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r1
- (no CPE)range: < 2.5.0-r1
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r2
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r2
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r2
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r5
- (no CPE)range: < 2.5.0-r6
- (no CPE)range: < 2.5.0-r5
- (no CPE)range: < 2.5.0-r6
- (no CPE)range: < 2.5.0-r5
- (no CPE)range: < 2.5.0-r6
- (no CPE)range: < 2.5.0-r5
- (no CPE)range: < 2.5.0-r6
- (no CPE)range: < 2.5.0-r5
- (no CPE)range: < 2.5.0-r6
- (no CPE)range: < 2.5.0-r5
- (no CPE)range: < 2.5.0-r6
- (no CPE)range: < 2.5.0-r5
- (no CPE)range: < 2.5.0-r6
- (no CPE)range: < 2.5.0-r5
- (no CPE)range: < 2.5.0-r6
- (no CPE)range: < 2.17.0-r3
- (no CPE)range: < 2.17.0-r2
- (no CPE)range: < 7.71.2-r20
- (no CPE)range: < 7.72.4-r20
- (no CPE)range: < 7.73.3-r11
- (no CPE)range: < 7.74.1-r14
- (no CPE)range: < 7.76.3-r11
- (no CPE)range: < 7.77.3-r3
- (no CPE)range: < 7.71.2-r13
- (no CPE)range: < 7.72.4-r13
- (no CPE)range: < 7.73.3-r10
- (no CPE)range: < 7.76.3-r9
- (no CPE)range: < 7.77.3-r3
- (no CPE)range: < 8.17.10-r11
- (no CPE)range: < 8.19.13-r2
- (no CPE)range: < 9.0.8-r10
- (no CPE)range: < 9.1.10-r9
- (no CPE)range: < 9.2.7-r2
- (no CPE)range: < 8.17.10-r10
- (no CPE)range: < 8.19.13-r1
- (no CPE)range: < 9.0.8-r11
- (no CPE)range: < 9.1.10-r9
- (no CPE)range: < 9.2.7-r1
- (no CPE)range: < 9.3.2-r2
- (no CPE)range: < 9.3.2-r2
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 1.15.0-r0
- (no CPE)range: < 1.12.0-r0
- (no CPE)range: < 1.12.0-r0
- (no CPE)range: < 3.7.1-r4
- (no CPE)range: < 1.37.3-r7
- (no CPE)range: < 2.10.3-r7
- (no CPE)range: < 2.10.3-r7
- (no CPE)range: < 2.10.3-r7
- (no CPE)range: < 2.8.3-r3
- (no CPE)range: < 0
- (no CPE)range: < 2.9.1-r4
- (no CPE)range: < 0
- (no CPE)range: < 2.10.3-r3
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.8.3-r3
- (no CPE)range: < 0
- (no CPE)range: < 2.9.1-r4
- (no CPE)range: < 2.9.1-r4
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.300066.0-r1
- (no CPE)range: < 0.47.0-r10
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r5
- (no CPE)range: < 2.5.0-r5
- (no CPE)range: < 2.17.0-r3
- (no CPE)range: < 7.72.4-r20
- (no CPE)range: < 7.73.3-r11
- (no CPE)range: < 7.77.3-r3
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 3.7.1-r4
- (no CPE)range: < 1.37.3-r7
- (no CPE)range: < 2.10.3-r7
- (no CPE)range: < 2.10.3-r7
- (no CPE)range: < 2.10.3-r7
- (no CPE)range: < 1.3.6
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
Patches
Vulnerability mechanics
References
7- github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494nvdPatchWEB
- securityinfinity.com/research/infinite-loop-dos-in-antchfx-xpath-logicalquery-selectnvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-65xw-vw82-r86xghsaADVISORY
- github.com/antchfx/xpath/issues/121nvdIssue TrackingThird Party AdvisoryWEB
- github.com/golang/vulndb/issues/4526nvdIssue TrackingThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32287ghsaADVISORY
- pkg.go.dev/vuln/GO-2026-4526nvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.