Cyber Posture

CVE-2026-26278

HighPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 9.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26278 is a high-severity XML Entity Expansion (CWE-776) vulnerability in Naturalintelligence Fast-Xml-Parser. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

CVE enables remote application-layer DoS via XML entity expansion (CWE-776) causing CPU exhaustion; directly maps to T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount…

more

of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.

Deeper analysisAI

CVE-2026-26278 is a denial-of-service vulnerability in the fast-xml-parser JavaScript library, which enables XML validation, parsing to JavaScript objects, or building XML from objects without C/C++ dependencies or callbacks. Affecting versions 4.1.3 through 5.3.5, the flaw (CWE-776) allows unlimited entity expansion during XML parsing. A small malicious XML input can trigger excessive processing, causing the parser to spend seconds or minutes on a single request and effectively freeze the application. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Any unauthenticated attacker with network access to an application using the vulnerable fast-xml-parser versions can exploit this remotely. By crafting a concise XML payload with expansive or recursive entity definitions, the attacker induces the parser to perform unbounded expansions, leading to high CPU consumption and temporary denial of service without requiring privileges or user interaction.

The vulnerability is addressed in fast-xml-parser version 5.3.6. As a workaround, disable DOCTYPE entity processing via the `processEntities: false` option. Additional details are available in the GitHub security advisory (GHSA-jmr7-xgp7-cmfj), the fixing commit (910dae5be2de2955e968558fadf6e8f74f117a77), and the v5.3.6 release notes.

Details

CWE(s)
CWE-776

Affected Products

naturalintelligence
fast-xml-parser
4.1.3 — 5.3.6

CVEs Like This One

CVE-2026-33036Same product: Naturalintelligence Fast-Xml-Parser
CVE-2026-25128Same product: Naturalintelligence Fast-Xml-Parser
CVE-2026-27942Same product: Naturalintelligence Fast-Xml-Parser
CVE-2026-25896Same product: Naturalintelligence Fast-Xml-Parser
CVE-2026-29074Shared CWE-776

References