What is CVE-2026-26278?

CVE-2026-26278 is a high-severity vulnerability in Naturalintelligence Fast-xml-parser, classified under Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion). CVSS score: 7.5/10. Published 2026-02-19.

How severe is CVE-2026-26278?

High severity. CVSS v3 base score is 7.5 out of 10.

XXE in Naturalintelligence Fast-xml-parser

CVE-2026-26278

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of ent…

EPSS: 0.000 (9.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Naturalintelligence Fast-xml-parser — versions >= 5.0.0, < 5.3.6, >= 4.1.3, < 4.5.4

Weakness classification (CWE)

CWE-776 — Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion)

References

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj (x_refsource_CONFIRM)
https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77 (x_refsource_MISC)
https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-26278?: CVE-2026-26278 is a high-severity vulnerability in Naturalintelligence Fast-xml-parser, classified under Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion). CVSS score: 7.5/10. Published 2026-02-19.
How severe is CVE-2026-26278?: High severity. CVSS v3 base score is 7.5 out of 10.