Summary

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.6"
      },
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44665"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T16:29:10Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# Summary\nWhen an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.\n\n## Detail\n\nMalicious Input\n```\n{\n      a: {\n        \"@_attr\": \u0027\" onClick=\"alert(1)\u0027\n      }\n}\n```\n\nOutput\n```xml\n\u003ca attr=\"\" onClick=\"alert(1)\"\u003e\u003c/a\u003e\n```\n\n### Workarounds\nIf you\u0027re not ignoring attributes then keep processEntities flag true.",
  "id": "GHSA-5wm8-gmm8-39j9",
  "modified": "2026-05-08T16:29:10Z",
  "published": "2026-05-08T16:29:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NaturalIntelligence/fast-xml-builder"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes"
}