Cyber Resilience

CVE-2026-26278

HighPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 9.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26278 is a high-severity XML Entity Expansion (CWE-776) vulnerability in Naturalintelligence Fast-Xml-Parser. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26278 is a denial-of-service vulnerability in the fast-xml-parser JavaScript library, which enables XML validation, parsing to JavaScript objects, or building XML from objects without C/C++ dependencies or callbacks. Affecting versions 4.1.3 through 5.3.5, the flaw (CWE-776) allows unlimited entity expansion during XML parsing. A small malicious XML input can trigger excessive processing, causing the parser to spend seconds or minutes on a single request and effectively freeze the application. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Any unauthenticated attacker with network access to an application using the vulnerable fast-xml-parser versions can exploit this remotely. By crafting a concise XML payload with expansive or recursive entity definitions, the attacker induces the parser to perform unbounded expansions, leading to high CPU consumption and temporary denial of service without requiring privileges or user interaction.

The vulnerability is addressed in fast-xml-parser version 5.3.6. As a workaround, disable DOCTYPE entity processing via the `processEntities: false` option. Additional details are available in the GitHub security advisory (GHSA-jmr7-xgp7-cmfj), the fixing commit (910dae5be2de2955e968558fadf6e8f74f117a77), and the v5.3.6 release notes.

EU & UK References

Vulnerability details

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount…

more

of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote application-layer DoS via XML entity expansion (CWE-776) causing CPU exhaustion; directly maps to T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33036Same product: Naturalintelligence Fast-Xml-Parser
CVE-2026-25128Same product: Naturalintelligence Fast-Xml-Parser
CVE-2026-27942Same product: Naturalintelligence Fast-Xml-Parser
CVE-2026-25896Same product: Naturalintelligence Fast-Xml-Parser
CVE-2026-29074Shared CWE-776
CVE-2026-31248Shared CWE-776

Affected Assets

naturalintelligence
fast-xml-parser
4.1.3 — 5.3.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the unlimited entity expansion flaw in fast-xml-parser by requiring timely patching to version 5.3.6 or later.

prevent

Enforces secure configuration of the XML parser with options like processEntities: false to disable DOCTYPE entity processing as the specified workaround.

prevent

Validates XML inputs to reject malicious payloads with expansive or recursive entities before they reach the vulnerable parser.

References