Vendor CVEs
Libexpat Project
All CVEs
63 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-0718 | Cri | 0.65 | 9.8 | 0.13 | May 26, 2016 | Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow. | ||
| CVE-2024-45492 | Cri | 0.64 | 9.8 | 0.01 | Aug 30, 2024 | An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). | ||
| CVE-2024-45491 | Cri | 0.64 | 9.8 | 0.01 | Aug 30, 2024 | An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). | ||
| CVE-2016-9063 | Cri | 0.57 | 9.8 | 0.06 | Jun 11, 2018 | An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50. | ||
| CVE-2016-4472 | Hig | 0.54 | 8.1 | 0.12 | Jun 30, 2016 | The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix… | ||
| CVE-2017-11742 | Hig | 0.51 | 7.8 | 0.00 | Jul 30, 2017 | The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking. | ||
| CVE-2024-45490 | Hig | 0.49 | 7.5 | 0.02 | Aug 30, 2024 | An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. | ||
| CVE-2017-9233 | Hig | 0.49 | 7.5 | 0.09 | Jul 25, 2017 | XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD. | ||
| CVE-2016-5300 | Hig | 0.49 | 7.5 | 0.07 | Jun 16, 2016 | The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for… | ||
| CVE-2025-59375 | Hig | 0.42 | 7.5 | 0.01 | Sep 15, 2025 | libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. | ||
| CVE-2024-8176 | Hig | 0.42 | 7.5 | 0.02 | Mar 14, 2025 | A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and… | ||
| CVE-2012-6702 | Med | 0.39 | 5.9 | 0.02 | Jun 16, 2016 | Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. | ||
| CVE-2026-25210 | Med | 0.38 | 6.9 | 0.00 | Jan 30, 2026 | In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. | ||
| CVE-2026-50219 | Med | 0.25 | 4.9 | 0.00 | Jun 4, 2026 | libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur, | ||
| CVE-2025-66382 | Low | 0.19 | 2.9 | 0.00 | Nov 28, 2025 | In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time. | ||
| CVE-2026-45186 | Low | 0.12 | 2.9 | 0.00 | May 10, 2026 | In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input. | ||
| CVE-2026-41080 | Low | 0.12 | 2.9 | 0.00 | Apr 16, 2026 | libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document. | ||
| CVE-2026-24515 | Low | 0.12 | 2.9 | 0.00 | Jan 23, 2026 | In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. | ||
| CVE-2022-25236 | 0.03 | — | 0.34 | Feb 16, 2022 | xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. | |||
| CVE-2015-1283 | 0.02 | — | 0.19 | Jul 23, 2015 | Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via… | |||
| CVE-2013-0340 | 0.02 | — | 0.19 | Jan 21, 2014 | expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read… | |||
| CVE-2009-3560 | 0.02 | — | 0.24 | Dec 4, 2009 | The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read,… | |||
| CVE-2009-3720 | 0.02 | — | 0.28 | Nov 3, 2009 | The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that… | |||
| CVE-2019-15903 | 0.01 | — | 0.07 | Sep 4, 2019 | In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. | |||
| CVE-2018-20843 | 0.01 | — | 0.07 | Jun 24, 2019 | In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). | |||
| CVE-2026-56412 | 0.00 | — | 0.00 | Jun 21, 2026 | libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix… | |||
| CVE-2026-56411 | 0.00 | — | 0.00 | Jun 21, 2026 | xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations. | |||
| CVE-2026-56410 | 0.00 | — | 0.00 | Jun 21, 2026 | xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId. | |||
| CVE-2026-56409 | 0.00 | — | 0.00 | Jun 21, 2026 | xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used. | |||
| CVE-2026-56408 | 0.00 | — | 0.00 | Jun 21, 2026 | libexpat before 2.8.2 has an integer overflow in copyString. | |||
| CVE-2026-56407 | 0.00 | — | 0.00 | Jun 21, 2026 | libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen. | |||
| CVE-2026-56406 | 0.00 | — | 0.00 | Jun 21, 2026 | libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse. | |||
| CVE-2026-56405 | 0.00 | — | 0.00 | Jun 21, 2026 | libexpat before 2.8.2 has an integer overflow in getAttributeId. | |||
| CVE-2026-56404 | 0.00 | — | 0.00 | Jun 21, 2026 | libexpat before 2.8.2 has an integer overflow in addBinding. | |||
| CVE-2026-56403 | 0.00 | — | 0.00 | Jun 21, 2026 | libexpat before 2.8.2 has an integer overflow in storeAtts. | |||
| CVE-2026-56132 | 0.00 | — | 0.00 | Jun 19, 2026 | In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers. | |||
| CVE-2026-56131 | 0.00 | — | 0.00 | Jun 19, 2026 | libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation). | |||
| CVE-2026-32778 | 0.00 | — | 0.00 | Mar 16, 2026 | libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition. | |||
| CVE-2026-32777 | 0.00 | — | 0.00 | Mar 16, 2026 | libexpat before 2.7.5 allows an infinite loop while parsing DTD content. | |||
| CVE-2026-32776 | 0.00 | — | 0.00 | Mar 16, 2026 | libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content. | |||
| CVE-2024-50602 | 0.00 | — | 0.01 | Oct 27, 2024 | An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser. | |||
| CVE-2024-28757 | 0.00 | — | 0.02 | Mar 10, 2024 | libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). | |||
| CVE-2023-52426 | 0.00 | — | 0.00 | Feb 4, 2024 | libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time. | |||
| CVE-2023-52425 | 0.00 | — | 0.02 | Feb 4, 2024 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | |||
| CVE-2022-43680 | 0.00 | — | 0.02 | Oct 24, 2022 | In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. | |||
| CVE-2022-40674 | 0.00 | — | 0.02 | Sep 14, 2022 | libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. | |||
| CVE-2022-25314 | 0.00 | — | 0.05 | Feb 18, 2022 | In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. | |||
| CVE-2022-25315 | 0.00 | — | 0.05 | Feb 18, 2022 | In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. | |||
| CVE-2022-25313 | 0.00 | — | 0.03 | Feb 18, 2022 | In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. | |||
| CVE-2022-25235 | 0.00 | — | 0.05 | Feb 16, 2022 | xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. |
- risk 0.65cvss 9.8epss 0.13
Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
- risk 0.57cvss 9.8epss 0.06
An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.
- risk 0.54cvss 8.1epss 0.12
The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix…
- risk 0.51cvss 7.8epss 0.00
The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking.
- risk 0.49cvss 7.5epss 0.02
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
- risk 0.49cvss 7.5epss 0.09
XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.
- risk 0.49cvss 7.5epss 0.07
The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for…
- risk 0.42cvss 7.5epss 0.01
libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.
- risk 0.42cvss 7.5epss 0.02
A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and…
- risk 0.39cvss 5.9epss 0.02
Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.
- risk 0.38cvss 6.9epss 0.00
In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.
- risk 0.25cvss 4.9epss 0.00
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,
- risk 0.19cvss 2.9epss 0.00
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.
- risk 0.12cvss 2.9epss 0.00
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.
- risk 0.12cvss 2.9epss 0.00
libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
- risk 0.12cvss 2.9epss 0.00
In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.
- CVE-2022-25236Feb 16, 2022risk 0.03cvss —epss 0.34
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
- CVE-2015-1283Jul 23, 2015risk 0.02cvss —epss 0.19
Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via…
- CVE-2013-0340Jan 21, 2014risk 0.02cvss —epss 0.19
expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read…
- CVE-2009-3560Dec 4, 2009risk 0.02cvss —epss 0.24
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read,…
- CVE-2009-3720Nov 3, 2009risk 0.02cvss —epss 0.28
The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that…
- CVE-2019-15903Sep 4, 2019risk 0.01cvss —epss 0.07
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
- CVE-2018-20843Jun 24, 2019risk 0.01cvss —epss 0.07
In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).
- CVE-2026-56412Jun 21, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix…
- CVE-2026-56411Jun 21, 2026risk 0.00cvss —epss 0.00
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
- CVE-2026-56410Jun 21, 2026risk 0.00cvss —epss 0.00
xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.
- CVE-2026-56409Jun 21, 2026risk 0.00cvss —epss 0.00
xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.
- CVE-2026-56408Jun 21, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 has an integer overflow in copyString.
- CVE-2026-56407Jun 21, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.
- CVE-2026-56406Jun 21, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.
- CVE-2026-56405Jun 21, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 has an integer overflow in getAttributeId.
- CVE-2026-56404Jun 21, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 has an integer overflow in addBinding.
- CVE-2026-56403Jun 21, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 has an integer overflow in storeAtts.
- CVE-2026-56132Jun 19, 2026risk 0.00cvss —epss 0.00
In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.
- CVE-2026-56131Jun 19, 2026risk 0.00cvss —epss 0.00
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation).
- CVE-2026-32778Mar 16, 2026risk 0.00cvss —epss 0.00
libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.
- CVE-2026-32777Mar 16, 2026risk 0.00cvss —epss 0.00
libexpat before 2.7.5 allows an infinite loop while parsing DTD content.
- CVE-2026-32776Mar 16, 2026risk 0.00cvss —epss 0.00
libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.
- CVE-2024-50602Oct 27, 2024risk 0.00cvss —epss 0.01
An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.
- CVE-2024-28757Mar 10, 2024risk 0.00cvss —epss 0.02
libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).
- CVE-2023-52426Feb 4, 2024risk 0.00cvss —epss 0.00
libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.
- CVE-2023-52425Feb 4, 2024risk 0.00cvss —epss 0.02
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
- CVE-2022-43680Oct 24, 2022risk 0.00cvss —epss 0.02
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
- CVE-2022-40674Sep 14, 2022risk 0.00cvss —epss 0.02
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
- CVE-2022-25314Feb 18, 2022risk 0.00cvss —epss 0.05
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
- CVE-2022-25315Feb 18, 2022risk 0.00cvss —epss 0.05
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
- CVE-2022-25313Feb 18, 2022risk 0.00cvss —epss 0.03
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
- CVE-2022-25235Feb 16, 2022risk 0.00cvss —epss 0.05
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
Page 1 of 2