What is CVE-2026-33349?

CVE-2026-33349 is a medium-severity vulnerability in Naturalintelligence Fast-xml-parser, classified under Improper Validation of Specified Quantity in Input. CVSS score: 5.9/10. Published 2026-03-24.

How severe is CVE-2026-33349?

Medium severity. CVSS v3 base score is 5.9 out of 10.

Vulnerability in Naturalintelligence Fast-xml-parser

CVE-2026-33349

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEnt…

EPSS: 0.000 (12.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.9 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Naturalintelligence Fast-xml-parser — versions >= 4.0.0-beta.3, < 5.5.7

Weakness classification (CWE)

CWE-1284 — Improper Validation of Specified Quantity in Input

References

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g (x_refsource_CONFIRM)
https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33349?: CVE-2026-33349 is a medium-severity vulnerability in Naturalintelligence Fast-xml-parser, classified under Improper Validation of Specified Quantity in Input. CVSS score: 5.9/10. Published 2026-03-24.
How severe is CVE-2026-33349?: Medium severity. CVSS v3 base score is 5.9 out of 10.