CVE-2026-44665
fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes
6.1
MEDIUM
CVSS 3.1
EPSS 0.01%
Description
# Summary When an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. ## Detail Malicious Input ``` { a: { "@_attr": '" onClick="alert(1)' } } ``` Output ```xml <a attr="" onClick="alert(1)"></a> ``` ### Workarounds If you're not ignoring attributes then keep processEntities flag true.
How to fix CVE-2026-44665
To remediate CVE-2026-44665, upgrade the affected package to a fixed version below.
- —upgrade to 1.1.7 or later
Is CVE-2026-44665 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.1.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |