CVE-2026-44665

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions fast-xml-builder versions prior to 1.1.7

Description When input data contains quotes in attribute values and the processEntities flag is disabled, the software incorrectly splits the attribute value into multiple attributes. This allows an attacker to inject unauthorized attributes into the resulting XML or HTML output.

Recommendations Update to version 1.1.7. Keep the processEntities flag set to true if attributes are not being ignored.

Exploit

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611CWE-91

Related Identifiers

CVE-2026-44665

GHSA-5WM8-GMM8-39J9

Affected Products

Fast-Xml-Builder

CVE-2026-44665

Weakness Enumeration

Related Identifiers

Affected Products

References · 6