CVE-2026-44664

Name of the Vulnerable Software and Affected Versions fast-xml-builder version 1.1.5

Description An issue exists where the sanitization of -- sequences in XML comment content is insufficient. The use of .replace(/--/g, '- -') fails to handle values containing three consecutive dashes (e.g., --->...), which allows an attacker to break out of an XML comment and inject arbitrary XML or HTML content, such as JavaScript script tags, into the output when the comment property is enabled.

Recommendations Update to version 1.1.6. As a temporary workaround, externally check for the presence of three consecutive dashes in the property value used for the comment tag.