CVE-2026-41650: fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

April 22, 2026 (updated May 8, 2026)

fast-xml-parser XMLBuilder does not escape the --> sequence in comment content or the ]]> sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation.

Existing CVEs for fast-xml-parser cover different issues:

CVE-2023-26920: Prototype pollution (parser)
CVE-2023-34104: ReDoS (parser)
CVE-2026-27942: Stack overflow in XMLBuilder with preserveOrder
CVE-2026-25896: Entity encoding bypass via regex in DOCTYPE entities

This finding covers unescaped comment/CDATA delimiters in XMLBuilder - a distinct vulnerability.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-41650 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →