Medium severity6.1NVD Advisory· Published May 7, 2026· Updated May 12, 2026
CVE-2026-41650
CVE-2026-41650
Description
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fast-xml-parsernpm | < 5.7.0 | 5.7.0 |
Affected products
29- osv-coords28 versionspkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.4pkg:apk/chainguard/kibana-9.4-iamguardedpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/langfuse-3pkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3pkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/prismpkg:apk/chainguard/renovatepkg:apk/chainguard/safpkg:apk/chainguard/thingsboard-tb-js-executor-fipspkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/langfuse-3pkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/opensearch-dashboards-3pkg:apk/wolfi/prismpkg:apk/wolfi/renovatepkg:apk/wolfi/safpkg:apk/wolfi/tileserver-glpkg:npm/fast-xml-parser
< 8.19.14-r5+ 27 more
- (no CPE)range: < 8.19.14-r5
- (no CPE)range: < 8.19.14-r6
- (no CPE)range: < 8.19.14-r6
- (no CPE)range: < 9.4.2-r1
- (no CPE)range: < 9.4.2-r1
- (no CPE)range: < 2.16.0-r19
- (no CPE)range: < 3.164.0-r8
- (no CPE)range: < 3.164.0-r8
- (no CPE)range: < 3.164.0-r7
- (no CPE)range: < 3.164.0-r7
- (no CPE)range: < 0.8.4-r6
- (no CPE)range: < 3.6.0-r3
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 5.15.10-r0
- (no CPE)range: < 43.170.15-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 4.3.1.2-r2
- (no CPE)range: < 5.6.0-r2
- (no CPE)range: < 5.6.0-r2
- (no CPE)range: < 2.16.0-r19
- (no CPE)range: < 3.164.0-r8
- (no CPE)range: < 3.164.0-r8
- (no CPE)range: < 3.6.0-r3
- (no CPE)range: < 5.15.10-r0
- (no CPE)range: < 43.170.15-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 5.6.0-r2
- (no CPE)range: < 5.7.0
Patches
Vulnerability mechanics
References
4- github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-gh4j-gqv2-49f6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41650ghsaADVISORY
- github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.6.0nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.