Known Vulnerabilities for products from Libexpat Project

Listed below are 20 of the newest known vulnerabilities associated with the vendor "Libexpat Project".

These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.

Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.

Known Vulnerabilities

CVE Shortened Description Severity Publish Date Last Modified
CVE-2026-56412 json libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for v... Not Provided 2026-06-21 2026-06-23
CVE-2026-56411 json xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations. Not Provided 2026-06-21 2026-06-23
CVE-2026-56410 json xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId. Not Provided 2026-06-21 2026-06-23
CVE-2026-56409 json xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used. Not Provided 2026-06-21 2026-06-23
CVE-2026-56408 json libexpat before 2.8.2 has an integer overflow in copyString. Not Provided 2026-06-21 2026-06-23
CVE-2026-56407 json libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen. Not Provided 2026-06-21 2026-06-23
CVE-2026-56406 json libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse. Not Provided 2026-06-21 2026-06-23
CVE-2026-56405 json libexpat before 2.8.2 has an integer overflow in getAttributeId. Not Provided 2026-06-21 2026-06-23
CVE-2026-56404 json libexpat before 2.8.2 has an integer overflow in addBinding. Not Provided 2026-06-21 2026-06-23
CVE-2026-56403 json libexpat before 2.8.2 has an integer overflow in storeAtts. Not Provided 2026-06-21 2026-06-23
CVE-2026-56132 json In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array real... Not Provided 2026-06-19 2026-06-23
CVE-2026-56131 json libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a poli... Not Provided 2026-06-19 2026-06-23
CVE-2026-50219 json libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFre... Not Provided 2026-06-04 2026-06-04
CVE-2026-45186 json In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via mode... Not Provided 2026-05-10 2026-06-30
CVE-2026-41080 json libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document. Not Provided 2026-04-16 2026-06-12
CVE-2026-25210 json In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no inte... Not Provided 2026-01-30 2026-06-02
CVE-2026-24515 json In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. Not Provided 2026-01-23 2026-06-02
CVE-2025-66382 json In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time. Not Provided 2025-11-28 2026-06-02
CVE-2025-59375 json libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is subm... Not Provided 2025-09-15 2026-05-12
CVE-2024-45492 json An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize... Not Provided 2024-08-30 2026-05-12

Known software with vulnerabilities from Libexpat Project

Type Vendor Product Version
ApplicationLibexpat ProjectLibexpat-
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report