pkg:npm/fast-xml-parser

10 total CVEsCRITICAL1HIGH6MEDIUM3

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.3CVE-2026-25896fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
    >= 5.0.0, < 5.3.5
  • HIGH7.5CVE-2026-33036fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
    >= 5.0.0, < 5.5.6
  • HIGH7.5CVE-2026-27942fast-xml-parser has stack overflow in XMLBuilder with preserveOrder
    >= 5.0.0, < 5.3.8
  • HIGH7.5CVE-2026-26278fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)
    >= 4.1.3, < 4.5.4
  • HIGH7.5CVE-2026-25128fast-xml-parser has RangeError DoS Numeric Entities Bug
    >= 5.0.9, < 5.3.4
  • HIGH7.5CVE-2024-41818fast-xml-parser vulnerable to ReDOS at currency parsing
    >= 4.3.5, < 4.4.1
  • HIGH7.5CVE-2023-34104fast-xml-parser vulnerable to Regex Injection via Doctype Entities
    >= 4.1.3, < 4.2.4
  • MEDIUM6.5CVE-2023-26920fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name
    from 0, < 4.1.2
  • MEDIUM6.1CVE-2026-41650fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
    from 0, < 5.7.0
  • MEDIUM5.9CVE-2026-33349Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser
    >= 4.0.0-beta.3, < 4.5.5