CVE-2026-41650

About vulnerability

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the “–>” sequence in comment content or the “]]>” sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.

Affected product:

Node.js , React , astro , b4a , babel-preset-expo , bare-fs , bare-stream , bottom-tabs , cli , db0 , devtools , drawer , drizzle-orm , expo , expo-asset , expo-constants , expo-file-system , expo-image , expo-linking , expo-modules-jsi , expo-router , expo-sqlite , expo-symbols , expo-widgets , fast-xml-parser , masked-view , metro-runtime , mongoose , native-stack , nitro , nuxt , op-sqlite , platform-ios , sharp , streamx , tar-fs , tar-stream , teex , text-decoder , unstorage , vector-icons , vite , vite-dev-rpc , vite-hot-client , vite-plugin-checker , vite-plugin-inspect , vite-plugin-vue , vite-plugin-vue-inspector

Affected packages:

fast-xml-parser (+242 more)

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the “–>” sequence in comment content or the “]]>” sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.