Libexpat
Source repositories
CVEs (55)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-3560 | 0.02 | — | 0.24 | Dec 4, 2009 | The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read,… | |||
| CVE-2009-3720 | 0.02 | — | 0.28 | Nov 3, 2009 | The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that… | |||
| CVE-2026-56412 | 0.00 | — | 0.00 | Jun 21, 2026 | libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix… | |||
| CVE-2026-56411 | 0.00 | — | 0.00 | Jun 21, 2026 | xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations. | |||
| CVE-2026-56410 | 0.00 | — | 0.00 | Jun 21, 2026 | xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId. | |||
| CVE-2026-56409 | 0.00 | — | 0.00 | Jun 21, 2026 | xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used. | |||
| CVE-2026-56408 | 0.00 | — | 0.00 | Jun 21, 2026 | libexpat before 2.8.2 has an integer overflow in copyString. | |||
| CVE-2026-56407 | 0.00 | — | 0.00 | Jun 21, 2026 | libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen. | |||
| CVE-2026-56406 | 0.00 | — | 0.00 | Jun 21, 2026 | libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse. | |||
| CVE-2026-56405 | 0.00 | — | 0.00 | Jun 21, 2026 | libexpat before 2.8.2 has an integer overflow in getAttributeId. | |||
| CVE-2026-56404 | 0.00 | — | 0.00 | Jun 21, 2026 | libexpat before 2.8.2 has an integer overflow in addBinding. | |||
| CVE-2026-56403 | 0.00 | — | 0.00 | Jun 21, 2026 | libexpat before 2.8.2 has an integer overflow in storeAtts. | |||
| CVE-2026-56132 | 0.00 | — | 0.00 | Jun 19, 2026 | In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers. | |||
| CVE-2026-56131 | 0.00 | — | 0.00 | Jun 19, 2026 | libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation). | |||
| CVE-2026-32778 | 0.00 | — | 0.00 | Mar 16, 2026 | libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition. | |||
| CVE-2026-32777 | 0.00 | — | 0.00 | Mar 16, 2026 | libexpat before 2.7.5 allows an infinite loop while parsing DTD content. | |||
| CVE-2026-32776 | 0.00 | — | 0.00 | Mar 16, 2026 | libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content. | |||
| CVE-2024-50602 | 0.00 | — | 0.01 | Oct 27, 2024 | An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser. | |||
| CVE-2024-28757 | 0.00 | — | 0.02 | Mar 10, 2024 | libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). | |||
| CVE-2023-52425 | 0.00 | — | 0.02 | Feb 4, 2024 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. |
- CVE-2009-3560Dec 4, 2009risk 0.02cvss —epss 0.24
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read,…
- CVE-2009-3720Nov 3, 2009risk 0.02cvss —epss 0.28
The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that…
- CVE-2026-56412Jun 21, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix…
- CVE-2026-56411Jun 21, 2026risk 0.00cvss —epss 0.00
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
- CVE-2026-56410Jun 21, 2026risk 0.00cvss —epss 0.00
xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.
- CVE-2026-56409Jun 21, 2026risk 0.00cvss —epss 0.00
xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.
- CVE-2026-56408Jun 21, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 has an integer overflow in copyString.
- CVE-2026-56407Jun 21, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.
- CVE-2026-56406Jun 21, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.
- CVE-2026-56405Jun 21, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 has an integer overflow in getAttributeId.
- CVE-2026-56404Jun 21, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 has an integer overflow in addBinding.
- CVE-2026-56403Jun 21, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 has an integer overflow in storeAtts.
- CVE-2026-56132Jun 19, 2026risk 0.00cvss —epss 0.00
In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.
- CVE-2026-56131Jun 19, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation).
- CVE-2026-32778Mar 16, 2026risk 0.00cvss —epss 0.00
libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.
- CVE-2026-32777Mar 16, 2026risk 0.00cvss —epss 0.00
libexpat before 2.7.5 allows an infinite loop while parsing DTD content.
- CVE-2026-32776Mar 16, 2026risk 0.00cvss —epss 0.00
libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.
- CVE-2024-50602Oct 27, 2024risk 0.00cvss —epss 0.01
An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.
- CVE-2024-28757Mar 10, 2024risk 0.00cvss —epss 0.02
libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).
- CVE-2023-52425Feb 4, 2024risk 0.00cvss —epss 0.02
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
Page 2 of 3