CVE-2026-44665

MEDIUM6.1EPSS 0.01%

fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes

Published: 5/8/2026Modified: 5/14/2026

Also known as:GHSA-5wm8-gmm8-39j9CGA-597g-f23h-f9v7

Description

# Summary When an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. ## Detail Malicious Input ``` { a: { "@_attr": '" onClick="alert(1)' } } ``` Output ```xml <a attr="" onClick="alert(1)"></a> ``` ### Workarounds If you're not ignoring attributes then keep processEntities flag true.

Affected packages (1)

npm/fast-xml-builderfrom 0, < 1.1.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-44665
PATCHhttps://github.com/NaturalIntelligence/fast-xml-builder
WEBhttps://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9