Primary

Context

fast-xml-builder XML Comment Injection Vulnerability

Vulnerability

A vulnerability in fast-xml-builder version 1.1.5 allows for injection of arbitrary XML or HTML content through XML comments. The issue arises because the library's comment sanitization process fails to properly handle sequences of three consecutive dashes, enabling an attacker to break out of a comment and inject malicious content. This vulnerability is present in versions greater than 1.1.5 and has been patched in version 1.1.6.

Impact

Exploitation of this vulnerability could lead to injection of unwanted or malicious code, such as JavaScript, into the XML or HTML output.

Remediation

Users can upgrade to fast-xml-builder version 1.1.6 to address this vulnerability. For those unable to upgrade, a workaround involves checking for three consecutive dashes in the property values used for comment tags.

Added: May 13, 2026, 5:16 PM

Updated: May 13, 2026, 5:16 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

8.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

8.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

fast-xml-builder XML Comment Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

fast-xml-builder

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating