CVE-2026-26278
Published: 19 February 2026
Summary
CVE-2026-26278 is a high-severity XML Entity Expansion (CWE-776) vulnerability in Naturalintelligence Fast-Xml-Parser. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-26278 is a denial-of-service vulnerability in the fast-xml-parser JavaScript library, which enables XML validation, parsing to JavaScript objects, or building XML from objects without C/C++ dependencies or callbacks. Affecting versions 4.1.3 through 5.3.5, the flaw (CWE-776) allows unlimited entity expansion during XML parsing. A small malicious XML input can trigger excessive processing, causing the parser to spend seconds or minutes on a single request and effectively freeze the application. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated attacker with network access to an application using the vulnerable fast-xml-parser versions can exploit this remotely. By crafting a concise XML payload with expansive or recursive entity definitions, the attacker induces the parser to perform unbounded expansions, leading to high CPU consumption and temporary denial of service without requiring privileges or user interaction.
The vulnerability is addressed in fast-xml-parser version 5.3.6. As a workaround, disable DOCTYPE entity processing via the `processEntities: false` option. Additional details are available in the GitHub security advisory (GHSA-jmr7-xgp7-cmfj), the fixing commit (910dae5be2de2955e968558fadf6e8f74f117a77), and the v5.3.6 release notes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7970
Vulnerability details
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount…
more
of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote application-layer DoS via XML entity expansion (CWE-776) causing CPU exhaustion; directly maps to T1499.004 Application or System Exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the unlimited entity expansion flaw in fast-xml-parser by requiring timely patching to version 5.3.6 or later.
Enforces secure configuration of the XML parser with options like processEntities: false to disable DOCTYPE entity processing as the specified workaround.
Validates XML inputs to reject malicious payloads with expansive or recursive entities before they reach the vulnerable parser.