CVE-2026-27942
Published: 26 February 2026
Summary
CVE-2026-27942 is a low-severity Classic Buffer Overflow (CWE-120) vulnerability in Naturalintelligence Fast-Xml-Parser. Its CVSS base score is 2.7 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-27942 is a stack overflow vulnerability (CWE-120) in the fast-xml-parser JavaScript library, which provides XML validation, parsing to JavaScript objects, and XML building from objects without C/C++ dependencies or callbacks. The flaw affects versions prior to 5.3.8 and causes the application to crash when the XML builder is invoked with the preserveOrder option set to true.
With a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), the vulnerability is exploitable remotely over the network with low attack complexity, requiring no privileges, user interaction, or privilege escalation. Any unauthenticated attacker can supply crafted input to the XML builder, triggering a stack overflow that results in denial of service through application termination.
The vulnerability is addressed in fast-xml-parser version 5.3.8. Workarounds include using the XML builder with preserveOrder set to false or validating input data prior to passing it to the builder. Additional details are provided in the GitHub security advisory (GHSA-fj3w-jwp8-x2g3), pull request 791, and fixing commit c13a961910f14986295dd28484eee830fa1a0e8a.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8811
Vulnerability details
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with…
more
`preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated stack overflow in XML builder (public-facing apps) directly enables T1190 exploitation and T1499.004 application/system exploitation resulting in DoS crash.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the stack overflow vulnerability in fast-xml-parser by requiring timely updates to version 5.3.8 or later.
Validates input data prior to passing it to the XML builder, preventing crafted inputs from triggering the stack overflow as recommended in the workaround.
Enforces secure configuration settings such as preserveOrder:false in the XML builder to mitigate the vulnerability without requiring an update.