2441501 – (CVE-2026-25896) CVE-2026-25896 fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling

Bug 2441501 (CVE-2026-25896) - CVE-2026-25896 fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling

Summary: CVE-2026-25896 fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) d...

Keywords:
Status:	NEW
Alias:	CVE-2026-25896
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2441504 2441505
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-20 22:02 UTC by OSIDB Bzimport
Modified:	2026-02-20 22:57 UTC (History)
CC List:	43 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-20 22:02:23 UTC

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (&lt;, &gt;, &amp;, &quot;, &apos;) with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
abuckta
alizardo
anjoseph
anthomas
caswilli
dkuc
dschmidt
ehelms
erezende
fdeutsch
ggainey
jchui
jhe
jlanda
jprabhak
juwatts
kaycoth
kshier
ktsao
manissin
mattdavi
mhulan
nboldt
nmoumoul
orabin
oramraz
osousa
pcreech
psrna
rchan
rjohnson
simaishi
smallamp
smcdonal
smullick
stcannon
stirabos
teagle
thason
tmalecek
wtam
yguenane