VYPR
Medium severity6.1GHSA Advisory· Published May 13, 2026· Updated May 18, 2026

CVE-2026-44665

CVE-2026-44665

Description

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
fast-xml-buildernpm
< 1.1.71.1.7

Affected products

22

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.