Skip to main content

Xml

3 CVEs product

Monthly

CVE-2026-57074 PATCH This Week

XML::Bare versions through 0.53 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read.

Buffer Overflow Information Disclosure Xml
NVD GitHub
CVE-2026-13401 PATCH Monitor

XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes. The parserc_parse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "<a ='c'>" or unbalanced quotes "<a b='''''''c'>" can trigger this condition.

Denial Of Service Xml
NVD GitHub
CVE-2026-8177 HIGH PATCH This Week

Out-of-bounds heap read in XML::LibXML for Perl (all versions through 2.0210) allows remote attackers to trigger denial-of-service crashes by supplying XML node names with truncated UTF-8 sequences. The parser fails to validate multi-byte UTF-8 boundaries in node names, reading past allocated memory into adjacent heap regions. No public exploit identified at time of analysis, with EPSS score of 0.01% indicating very low observed exploitation probability. Vendor-released patch available via upstream commit 15652bd9.

Denial Of Service Information Disclosure Buffer Overflow Xml
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
PATCH This Week

XML::Bare versions through 0.53 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read.

Buffer Overflow Information Disclosure Xml
NVD GitHub
PATCH Monitor

XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes. The parserc_parse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "<a ='c'>" or unbalanced quotes "<a b='''''''c'>" can trigger this condition.

Denial Of Service Xml
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Out-of-bounds heap read in XML::LibXML for Perl (all versions through 2.0210) allows remote attackers to trigger denial-of-service crashes by supplying XML node names with truncated UTF-8 sequences. The parser fails to validate multi-byte UTF-8 boundaries in node names, reading past allocated memory into adjacent heap regions. No public exploit identified at time of analysis, with EPSS score of 0.01% indicating very low observed exploitation probability. Vendor-released patch available via upstream commit 15652bd9.

Denial Of Service Information Disclosure Buffer Overflow +1
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy