High severity7.5NVD Advisory· Published Mar 26, 2026· Updated Apr 21, 2026
CVE-2026-32287
CVE-2026-32287
Description
Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/antchfx/xpathGo | < 1.3.6 | 1.3.6 |
Affected products
1Patches
11 file changed · +0 −9
query.go+0 −9 modified@@ -985,15 +985,6 @@ type logicalQuery struct { } func (l *logicalQuery) Select(t iterator) NodeNavigator { - // When a XPath expr is logical expression. - node := t.Current().Copy() - val := l.Evaluate(t) - switch val.(type) { - case bool: - if val.(bool) == true { - return node - } - } return nil }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494nvdPatchWEB
- securityinfinity.com/research/infinite-loop-dos-in-antchfx-xpath-logicalquery-selectnvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-65xw-vw82-r86xghsaADVISORY
- github.com/antchfx/xpath/issues/121nvdIssue TrackingThird Party AdvisoryWEB
- github.com/golang/vulndb/issues/4526nvdIssue TrackingThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32287ghsaADVISORY
- pkg.go.dev/vuln/GO-2026-4526nvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.