Medium severity6.1GHSA Advisory· Published May 13, 2026· Updated May 13, 2026

CVE-2026-44665

Description

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
fast-xml-buildernpm	< 1.1.7	1.1.7

Affected products

Naturalintelligence/Fast Xml BuilderGHSA
Range: <= 1.1.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-5wm8-gmm8-39j9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-44665ghsaADVISORY
github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000