{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33036", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.210Z", "datePublished": "2026-03-20T05:17:03.290Z", "dateUpdated": "2026-03-20T05:17:03.290Z"}, "containers": {"cna": {"title": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)", "problemTypes": [{"descriptions": [{"cweId": "CWE-776", "lang": "en", "description": "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"}, {"name": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01", "tags": ["x_refsource_MISC"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"}, {"name": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6"}], "affected": [{"vendor": "NaturalIntelligence", "product": "fast-xml-parser", "versions": [{"version": ">= 4.0.0-beta.3, < 5.5.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:17:03.290Z"}, "descriptions": [{"lang": "en", "value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like &#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process\u2014even when developers have configured strict limits. This issue has been fixed in version 5.5.6."}], "source": {"advisory": "GHSA-8gc5-j5rx-235r", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like &#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process\u2014even when developers have configured strict limits. This issue has been fixed in version 5.5.6."}], "id": "CVE-2026-33036", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T06:16:11.630", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"}, {"source": "security-advisories@github.com", "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6"}, {"source": "security-advisories@github.com", "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-776"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "fast-xml-parser: fast-xml-parser: Denial of Service via XML entity expansion bypass", "id": "2449458", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449458"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-776", "details": ["A flaw was found in fast-xml-parser. A remote attacker can exploit this vulnerability by supplying specially crafted XML input containing numeric character references or standard XML entities. This input can bypass configured entity expansion limits, leading to excessive memory allocation and high CPU usage. The primary consequence is a Denial of Service (DoS), which can crash the affected process."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33036", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Affected", "package_name": "mta/mta-ui-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/backstage-community-plugin-catalog-backend-module-scaffolder-relation-processor", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/mcg-core-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-client-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-multicluster-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel9", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/kubevirt-console-plugin", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/kubevirt-console-plugin-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite/iop-host-inventory-frontend-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite/iop-vulnerability-frontend-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Affected", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-03-20T05:17:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33036\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33036\nhttps://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01\nhttps://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6\nhttps://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0-beta.3,5.5.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fast-xml-parser", "source": "cna", "vendor": "NaturalIntelligence"}, "product": "fast-xml-parser", "vendor": "naturalintelligence"}], "analysis": {"en": {"generated_at": "2026-03-20T06:50:45.849718+00:00", "value": {"mitigation_remediation": ["Upgrade fast\u2011xml-parser to v5.5.6 or later."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is NaturalIntelligence:fast\u2011xml-parser. All releases from 4.0.0\u2011beta.3 up to and including 5.5.5 are vulnerable. The fix was released in version 5.5.6 and later; upgrading to v5.5.6 removes the bypass.", "description_and_impact": "fast\u2011xml-parser is a JavaScript XML parser that processes XML via JavaScript objects. Versions 4.0.0\u2011beta.3 through 5.5.5 contain a vulnerability that bypasses entity expansion limits for numeric and standard entity references, allowing an attacker to supply a large number of such references and force excessive memory allocation (~147\u202fMB) and CPU usage, resulting in a denial of service. The weakness is identified as CWE\u2011776 and does not compromise confidentiality or integrity.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity. EPSS data is not available, so the current likelihood of exploitation is unknown, and the vulnerability is not listed in the CISA KEV catalog. Although the attack vector depends on an application accepting untrusted XML, the flaw can be exploited locally or remotely from any environment that processes user\u2011supplied XML, potentially causing a DoS of the Node.js process. No privileged escalation is required."}}}}, "created": "2026-03-20T08:52:29.364289+00:00", "updated": "2026-03-20T10:37:11.185630+00:00", "vendors": ["naturalintelligence", "naturalintelligence$PRODUCT$fast-xml-parser"]}