CVE-2026-44665: fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes

May 8, 2026 (updated May 14, 2026)

When an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.

References

github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9
github.com/advisories/GHSA-5wm8-gmm8-39j9
nvd.nist.gov/vuln/detail/CVE-2026-44665

Code Behaviors & Features

Detect and mitigate CVE-2026-44665 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →