CVE-2026-44665
MEDIUM6.1EPSS 0.01%fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes
發布日:2026/5/8修改日:2026/5/14
描述
# Summary When an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. ## Detail Malicious Input ``` { a: { "@_attr": '" onClick="alert(1)' } } ``` Output ```xml <a attr="" onClick="alert(1)"></a> ``` ### Workarounds If you're not ignoring attributes then keep processEntities flag true.
受影響套件(1)
- npm/fast-xml-builderfrom 0, < 1.1.7
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |