CVE-2026-44664: fast-xml-builder Comment Value regex can be bypassed
The fix for https://github.com/advisories/GHSA-gh4j-gqv2-49f6 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/–/g, ‘- -’). This skip the values containing three consecutive dashes (e.g., —>…), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content.
References
- github.com/NaturalIntelligence/fast-xml-builder
- github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-45c6-75p6-83cc
- github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6
- github.com/advisories/GHSA-45c6-75p6-83cc
- nvd.nist.gov/vuln/detail/CVE-2026-44664
Code Behaviors & Features
Detect and mitigate CVE-2026-44664 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →