VYPR

Fast XML Builder

by NaturalIntelligence

Source repositories

CVEs (2)

  • CVE-2026-44664MedMay 13, 2026
    risk 0.40cvss 6.1epss 0.00

    fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out…

  • CVE-2026-44665MedMay 13, 2026
    risk 0.33cvss 6.1epss 0.00

    fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the…