Medium severity6.1NVD Advisory· Published May 7, 2026· Updated May 12, 2026

CVE-2026-41650

Description

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
fast-xml-parsernpm	< 5.7.0	5.7.0

Affected products

Naturalintelligence/Fast Xml Parserinferred2 versions
<=5.5.12+ 1 more
- (no CPE)range: <=5.5.12
- cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*range: <5.7.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6nvdExploitMitigationVendor AdvisoryWEB
github.com/advisories/GHSA-gh4j-gqv2-49f6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41650ghsaADVISORY
github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.6.0nvdProductRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000