{"api_version":"1","generated_at":"2026-06-30T22:42:27+00:00","cve":"CVE-2026-26278","urls":{"html":"https://cve.report/CVE-2026-26278","api":"https://cve.report/api/cve/CVE-2026-26278.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-26278","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-26278"},"summary":{"title":"fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)","description":"fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-02-19 20:25:43","updated_at":"2026-06-30 03:17:49"},"problem_types":["CWE-776","CWE-776 CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')"],"metrics":[{"version":"3.1","source":"ADP","type":"CVSS","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:6802","name":"https://access.redhat.com/errata/RHSA-2026:6802","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441120","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2441120","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:6174","name":"https://access.redhat.com/errata/RHSA-2026:6174","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6","name":"https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6","refsource":"security-advisories@github.com","tags":["Product","Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:7110","name":"https://access.redhat.com/errata/RHSA-2026:7110","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:7128","name":"https://access.redhat.com/errata/RHSA-2026:7128","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-26278","name":"https://access.redhat.com/security/cve/CVE-2026-26278","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj","name":"https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj","refsource":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26278.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26278.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77","name":"https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77","refsource":"security-advisories@github.com","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-26278","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26278","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"NaturalIntelligence","product":"fast-xml-parser","version":"affected >= 5.0.0, < 5.3.6","platforms":[]},{"source":"CNA","vendor":"NaturalIntelligence","product":"fast-xml-parser","version":"affected >= 4.1.3, < 4.5.4","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Advanced Cluster Security for Kubernetes 4.8","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Advanced Cluster Security for Kubernetes 4.9","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Developer Hub 1.8","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Developer Hub 1.9","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Migration Toolkit for Applications 8","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Openshift Data Foundation 4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift GitOps","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift Virtualization 4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Satellite 6","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Self-service automation portal 2","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-02-19T21:03:33.363Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-02-19T19:40:55.842Z","lang":"en","value":"Made public."}],"solutions":[{"source":"ADP","title":"","value":"RHSA-2026:7110: Red Hat Advanced Cluster Security for Kubernetes 4.8","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:7128: Red Hat Advanced Cluster Security for Kubernetes 4.9","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:6174: Red Hat Developer Hub 1.8","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:6802: Red Hat Developer Hub 1.9","time":"","lang":"en"}],"workarounds":[{"source":"ADP","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"26278","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"naturalintelligence","cpe5":"fast-xml-parser","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-26278","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-02-19T20:58:40.378859Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-02-19T21:21:49.452Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"cpes":["cpe:/a:redhat:advanced_cluster_security:4.8::el8"],"defaultStatus":"affected","product":"Red Hat Advanced Cluster Security for Kubernetes 4.8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:advanced_cluster_security:4.9::el8"],"defaultStatus":"affected","product":"Red Hat Advanced Cluster Security for Kubernetes 4.9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhdh:1.8::el9"],"defaultStatus":"affected","product":"Red Hat Developer Hub 1.8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhdh:1.9::el9"],"defaultStatus":"affected","product":"Red Hat Developer Hub 1.9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:migration_toolkit_applications:8"],"defaultStatus":"affected","product":"Migration Toolkit for Applications 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_data_foundation:4"],"defaultStatus":"affected","product":"Red Hat Openshift Data Foundation 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_gitops:1"],"defaultStatus":"affected","product":"Red Hat OpenShift GitOps","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:container_native_virtualization:4"],"defaultStatus":"affected","product":"Red Hat OpenShift Virtualization 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"affected","product":"Red Hat Satellite 6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_portal:2"],"defaultStatus":"affected","product":"Self-service automation portal 2","vendor":"Red Hat"}],"datePublic":"2026-02-19T19:40:55.842Z","descriptions":[{"lang":"en","value":"A denial of service flaw was found in fast-xml-parser. A remote attacker can exploit this vulnerability by providing a specially crafted, small XML input. This input can force the XML parser to perform an unlimited amount of entity expansion, consuming excessive resources. This can lead to the application freezing for an extended period, resulting in a Denial of Service (DoS)."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-776","description":"Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T02:45:34.257Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-26278"},{"name":"RHBZ#2441120","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441120"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26278.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7110"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7128"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6174"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6802"}],"solutions":[{"lang":"en","value":"RHSA-2026:7110: Red Hat Advanced Cluster Security for Kubernetes 4.8"},{"lang":"en","value":"RHSA-2026:7128: Red Hat Advanced Cluster Security for Kubernetes 4.9"},{"lang":"en","value":"RHSA-2026:6174: Red Hat Developer Hub 1.8"},{"lang":"en","value":"RHSA-2026:6802: Red Hat Developer Hub 1.9"}],"timeline":[{"lang":"en","time":"2026-02-19T21:03:33.363Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-19T19:40:55.842Z","value":"Made public."}],"title":"fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"product":"fast-xml-parser","vendor":"NaturalIntelligence","versions":[{"status":"affected","version":">= 5.0.0, < 5.3.6"},{"status":"affected","version":">= 4.1.3, < 4.5.4"}]}],"descriptions":[{"lang":"en","value":"fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-776","description":"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-02T19:11:59.388Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj","tags":["x_refsource_CONFIRM"],"url":"https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj"},{"name":"https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77","tags":["x_refsource_MISC"],"url":"https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77"},{"name":"https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6","tags":["x_refsource_MISC"],"url":"https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6"}],"source":{"advisory":"GHSA-jmr7-xgp7-cmfj","discovery":"UNKNOWN"},"title":"fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-26278","datePublished":"2026-02-19T19:40:55.842Z","dateReserved":"2026-02-12T17:10:53.414Z","dateUpdated":"2026-06-30T02:45:34.257Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-02-19 20:25:43","lastModifiedDate":"2026-06-30 03:17:49","problem_types":["CWE-776","CWE-776 CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-19T20:58:40.378859Z","id":"CVE-2026-26278","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1.3","versionEndExcluding":"5.3.6","matchCriteriaId":"36BABE8E-2E99-48E8-8F1D-2B1CC69D5BB2"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"26278","Ordinal":"1","Title":"fast-xml-parser affected by DoS through entity expansion in DOCT","CVE":"CVE-2026-26278","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"26278","Ordinal":"1","NoteData":"fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.","Type":"Description","Title":"fast-xml-parser affected by DoS through entity expansion in DOCT"}]}}}