Bug 2441120 (CVE-2026-26278)
| Summary: | CVE-2026-26278 fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abarbaro, abuckta, alizardo, anjoseph, anthomas, caswilli, dkuc, dschmidt, ehelms, erezende, fdeutsch, ggainey, jchui, jhe, jlanda, jprabhak, juwatts, kaycoth, kshier, ktsao, manissin, mattdavi, mhulan, nboldt, nmoumoul, orabin, oramraz, osousa, pcreech, psrna, rchan, rjohnson, simaishi, smallamp, smcdonal, smullick, stcannon, stirabos, teagle, thason, tmalecek, wtam, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A denial of service flaw was found in fast-xml-parser. A remote attacker can exploit this vulnerability by providing a specially crafted, small XML input. This input can force the XML parser to perform an unlimited amount of entity expansion, consuming excessive resources. This can lead to the application freezing for an extended period, resulting in a Denial of Service (DoS).
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2441130, 2441131 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-02-19 21:03:56 UTC
|