CVE-2026-32287

HighPublic PoC

Published: 26 March 2026

Published

26 March 2026

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0008 24.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32287 is a high-severity Infinite Loop (CWE-835) vulnerability in Antchfx Xpath. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like the infinite loop in antchfx/xpath, directly enabling patching to the fixed version.

SI-10 Information Input Validation good match

prevent

Mandates validation of XPath query inputs to block malicious boolean expressions such as '1=1' or 'true()' that trigger the infinite loop.

SC-5 Denial-of-service Protection good match

preventdetect

Implements protections against denial-of-service events, including CPU exhaustion from the infinite loop in logicalQuery.Select.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Infinite loop DoS triggered by malicious XPath input directly matches Application or System Exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

Deeper analysisAI

CVE-2026-32287 is a denial-of-service vulnerability in the antchfx/xpath Go package, where boolean XPath expressions evaluating to true, such as top-level selectors "1=1" or "true()", trigger an infinite loop in the logicalQuery.Select function. This results in 100% CPU usage. The issue is classified under CWE-835 (Infinite Loop) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its availability impact.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By supplying a malicious XPath query to an application using the affected antchfx/xpath library for query processing, attackers can cause the targeted system to enter an infinite loop, exhausting CPU resources and potentially leading to denial of service.

Mitigation involves updating the antchfx/xpath package to the fixed version via the patch commit at https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494. The vulnerability is tracked in the Go vulnerability database as GO-2026-4526 (https://pkg.go.dev/vuln/GO-2026-4526) and detailed in related GitHub issues (https://github.com/antchfx/xpath/issues/121, https://github.com/golang/vulndb/issues/4526) and a research advisory (https://securityinfinity.com/research/infinite-loop-dos-in-antchfx-xpath-logicalquery-select).