XML Injection (aka Blind XPath Injection) in fast-xml-parser

CVE-2026-41650

fast-xml-parser
org.webjars.npm:fast-xml-parser

Medium

6.1/10

Summary

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: CHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-91 - XML Injection (aka Blind XPath Injection)

The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

References

Advisory

Advisory Timeline

Published May 07, 2026

XML Injection (aka Blind XPath Injection) in fast-xml-parser

CVE-2026-41650

Summary

CWE-91 - XML Injection (aka Blind XPath Injection)

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS