What is the CVSS score of CVE-2026-26278?

CVE-2026-26278 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Fast Xml Parser are affected by CVE-2026-26278?

fast-xml-parser versions 4.1.3 through 5.3.5 contain a critical denial-of-service vulnerability that allows attackers to freeze applications through XML entity expansion attacks.. A patch is available.

Is there a public PoC exploit available for CVE-2026-26278?

Yes, a public proof-of-concept exploit is available for CVE-2026-26278. Prioritise patching immediately. EPSS: 0.1%.

Fast Xml Parser CVE-2026-26278

HIGH

Improper Restriction of Recursive Entity References in DTDs (CWE-776)

2026-02-19 security-advisories@github.com

GHSA-jmr7-xgp7-cmfj

Denial Of Service XXE Red Hat Fast Xml Parser Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

PoC Detected

Feb 23, 2026 - 19:30 vuln.today

Public exploit code

Patch released

Feb 23, 2026 - 19:30 nvd

Patch available

CVE Published

Feb 19, 2026 - 20:25 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

85 npm packages depend on fast-xml-parser (19 direct, 66 indirect)

Ecosystem-wide dependent count for version 4.1.3.

DescriptionNVD

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by processEntities: false option.

AnalysisAI

Fast XML Parser versions 4.1.3 through 5.3.5 are vulnerable to XML entity expansion attacks that allow remote attackers to cause denial of service by forcing unbounded entity expansion with minimal payload sizes. Public exploit code exists for this vulnerability, enabling attackers to freeze or severely degrade application performance. …

RemediationAI

Within 24 hours: Identify all systems and applications using fast-xml-parser versions 4.1.3-5.3.5 through dependency scanning. Within 7 days: Upgrade to version 5.3.6 or later for all affected applications and conduct validation testing. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory