What is the CVSS score of CVE-2026-25896?

CVE-2026-25896 has a CVSS 3.1 base score of 9.3 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Fast Xml Parser are affected by CVE-2026-25896?

Fast-Xml-Parser versions up to 5.3.5 contain a critical vulnerability (CVSS 9.3) that allows remote attackers to execute arbitrary code through XML processing.. A patch is available.

Is there a public PoC exploit available for CVE-2026-25896?

Yes, a public proof-of-concept exploit is available for CVE-2026-25896. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-25896?

Within 24 hours: Inventory all applications and dependencies using Fast-Xml-Parser and identify affected systems in production and development environments. Within 7 days: Apply vendor patch to upgrade Fast-Xml-Parser to version 5.3.6 or later across all systems; test patches in staging environment before production deployment. Within 30 days: Verify patch deployment across all systems through vulnerability scanning, implement change management documentation, and conduct post-incident review to prevent similar exposure gaps.

Fast Xml Parser CVE-2026-25896

CRITICAL

Incorrect Regular Expression (CWE-185)

2026-02-20 security-advisories@github.com

GHSA-m7jm-9gc2-mpf2

XSS Fast Xml Parser Red Hat

9.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.3 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

Red Hat

7.1 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

PoC Detected

Mar 02, 2026 - 14:54 vuln.today

Public exploit code

Patch released

Mar 02, 2026 - 14:54 nvd

Patch available

CVE Published

Feb 20, 2026 - 21:19 nvd

CRITICAL 9.3

DescriptionGitHub Advisory

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

AnalysisAI

ReDoS in fast-xml-parser before fix via crafted XML. PoC and patch available.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft XML with DOCTYPE entity containing dot wildcard

Exploit

Shadow built-in XML entities with malicious values

Execution

Inject arbitrary HTML/JavaScript payload

Impact

Execute XSS in rendered output

Access

Craft XML with DOCTYPE entity containing dot wildcard

Exploit

Shadow built-in XML entities with malicious values

Execution

Inject arbitrary HTML/JavaScript payload

Impact

Execute XSS in rendered output

Vulnerability AssessmentAI

Exploitation	No special conditions — remote unauthenticated exploitation against fast-xml-parser versions 4.1.3 to before 5.3.5 with default parsing configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.3. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Crafted XML triggers catastrophic regex backtracking.
Remediation	Apply patch. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all applications and dependencies using Fast-Xml-Parser and identify affected systems in production and development environments. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

CVE-2026-25896 vulnerability details – vuln.today

Back

Fast Xml Parser CVE-2026-25896

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

Share

External POC / Exploit Code