What is CVE-2026-44665?

CVE-2026-44665 is a medium-severity vulnerability in Naturalintelligence Fast-xml-builder, classified under XML Injection (Blind XPath Injection). CVSS score: 6.1/10. Published 2026-05-13.

How severe is CVE-2026-44665?

Medium severity. CVSS v3 base score is 6.1 out of 10.

XPath Injection in Naturalintelligence Fast-xml-builder

CVE-2026-44665

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to in…

EPSS: 0.000 (1.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.1 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Affected products

Naturalintelligence Fast-xml-builder — versions < 1.1.7

Weakness classification (CWE)

CWE-91 — XML Injection (Blind XPath Injection)

References

security-advisories@github.com (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-44665?: CVE-2026-44665 is a medium-severity vulnerability in Naturalintelligence Fast-xml-builder, classified under XML Injection (Blind XPath Injection). CVSS score: 6.1/10. Published 2026-05-13.
How severe is CVE-2026-44665?: Medium severity. CVSS v3 base score is 6.1 out of 10.