CVE-2026-44664
XML Injection vulnerability in fast-xml-builder (npm)

XML Injection No known exploit

What is CVE-2026-44664 About?

This XML Injection vulnerability in `fast-xml-parser` allows attackers to bypass comment sanitization, injecting arbitrary XML/HTML content. The sanitization fix for `GHSA-gh4j-gqv2-49f6` is incomplete, making it easy for an attacker to insert malicious code, posing a risk of client-side script execution.

Affected Software

fast-xml-builder >=1.1.5, <1.1.6

Technical Details

The vulnerability in fast-xml-parser stems from an incomplete fix for GHSA-gh4j-gqv2-49f6. While the original fix attempted to sanitize -- sequences in XML comment content by replacing them with - -, it fails to account for three or more consecutive dashes (e.g., --->...). An attacker can exploit this oversight by crafting XML comment content that includes ---> sequences. This allows a breakout from the XML comment, enabling the injection of arbitrary XML/HTML content, including script tags, into the final parsed output if the comment property is enabled. This can lead to client-side code execution in a browser context or unexpected behavior in other XML processing scenarios.

What is the Impact of CVE-2026-44664?

Successful exploitation may allow attackers to inject malicious or unwanted code, such as JavaScript script tags, into the XML/HTML output, leading to Cross-Site Scripting (XSS) or other client-side attacks.

What is the Exploitability of CVE-2026-44664?

Exploitation requires an attacker to be able to supply crafted input containing specific sequences of dashes (--->) within what is intended to be an XML comment to an application using fast-xml-parser with the comment property enabled. No particular authentication or elevated privileges are required if the application processes untrusted input to generate XML. This is a remote exploitation scenario. The complexity is low, as the bypass uses a specific character sequence. The risk factor is high for applications that use fast-xml-parser for user-supplied XML content, especially if the output is rendered in a browser.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-44664?

Available Upgrade Options

  • fast-xml-builder
    • >=1.1.5, <1.1.6 → Upgrade to 1.1.6

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-44664?

Similar Vulnerabilities: CVE-2023-46305 , CVE-2023-38407 , CVE-2023-30547 , CVE-2022-38426 , CVE-2021-38186

All Rights reserved 2025
Privacy Policy