Cyber Resilience

CVE-2026-27942

Low

Published: 26 February 2026

Published
26 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 2.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 5.0th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27942 is a low-severity Classic Buffer Overflow (CWE-120) vulnerability in Naturalintelligence Fast-Xml-Parser. Its CVSS base score is 2.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27942 is a stack overflow vulnerability (CWE-120) in the fast-xml-parser JavaScript library, which provides XML validation, parsing to JavaScript objects, and XML building from objects without C/C++ dependencies or callbacks. The flaw affects versions prior to 5.3.8 and causes the application to crash when the XML builder is invoked with the preserveOrder option set to true.

With a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), the vulnerability is exploitable remotely over the network with low attack complexity, requiring no privileges, user interaction, or privilege escalation. Any unauthenticated attacker can supply crafted input to the XML builder, triggering a stack overflow that results in denial of service through application termination.

The vulnerability is addressed in fast-xml-parser version 5.3.8. Workarounds include using the XML builder with preserveOrder set to false or validating input data prior to passing it to the builder. Additional details are provided in the GitHub security advisory (GHSA-fj3w-jwp8-x2g3), pull request 791, and fixing commit c13a961910f14986295dd28484eee830fa1a0e8a.

EU & UK References

Vulnerability details

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with…

more

`preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated stack overflow in XML builder (public-facing apps) directly enables T1190 exploitation and T1499.004 application/system exploitation resulting in DoS crash.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25128Same product: Naturalintelligence Fast-Xml-Parser
CVE-2026-33036Same product: Naturalintelligence Fast-Xml-Parser
CVE-2026-26278Same product: Naturalintelligence Fast-Xml-Parser
CVE-2026-25896Same product: Naturalintelligence Fast-Xml-Parser
CVE-2025-29361Shared CWE-120
CVE-2025-50646Shared CWE-120
CVE-2025-29363Shared CWE-120
CVE-2025-50652Shared CWE-120
CVE-2025-29362Shared CWE-120
CVE-2025-50673Shared CWE-120

Affected Assets

naturalintelligence
fast-xml-parser
≤ 4.5.4 · 5.0.0 — 5.3.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the stack overflow vulnerability in fast-xml-parser by requiring timely updates to version 5.3.8 or later.

prevent

Validates input data prior to passing it to the XML builder, preventing crafted inputs from triggering the stack overflow as recommended in the workaround.

prevent

Enforces secure configuration settings such as preserveOrder:false in the XML builder to mitigate the vulnerability without requiring an update.

References