CVE-2026-44665 MEDIUM

CVE-2026-44665: fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes

Vendor Naturalintelligence
Product fast-xml-builder
Weakness CWE-91 · XML injection
Published May 13, 2026
Last update May 18, 2026

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
May 18, 2026 Record updated