What is CVE-2026-25896?

CVE-2026-25896 is a critical-severity vulnerability in Naturalintelligence Fast-xml-parser, classified under Incorrect Regular Expression. CVSS score: 9.3/10. Published 2026-02-20.

How severe is CVE-2026-25896?

Critical severity. CVSS v3 base score is 9.3 out of 10.

Vulnerability in Naturalintelligence Fast-xml-parser

CVE-2026-25896

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard d…

EPSS: 0.000 (5.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.3 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N.

Affected products

Naturalintelligence Fast-xml-parser — versions >= 5.0.0, < 5.3.5, >= 4.1.3, < 4.5.4

Weakness classification (CWE)

CWE-185 — Incorrect Regular Expression

References

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-m7jm-9gc2-mpf2 (x_refsource_CONFIRM)
https://github.com/NaturalIntelligence/fast-xml-parser/commit/943ef0eb1b2d3284e72dd74f44a042ee9f07026e (x_refsource_MISC)
https://github.com/NaturalIntelligence/fast-xml-parser/commit/ddcd0acf26ddd682cb0dc15a2bd6aa3b96bb1e69 (x_refsource_MISC)
https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.5 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-25896?: CVE-2026-25896 is a critical-severity vulnerability in Naturalintelligence Fast-xml-parser, classified under Incorrect Regular Expression. CVSS score: 9.3/10. Published 2026-02-20.
How severe is CVE-2026-25896?: Critical severity. CVSS v3 base score is 9.3 out of 10.