CVE-2026-32287: XPath: Boolean expression infinite loop leads to denial of service via CPU exhaustion

March 29, 2026

Boolean expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as “1=1” or “true()”.

References

github.com/advisories/GHSA-65xw-vw82-r86x
github.com/antchfx/xpath
github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494
github.com/antchfx/xpath/issues/121
github.com/golang/vulndb/issues/4526
nvd.nist.gov/vuln/detail/CVE-2026-32287
pkg.go.dev/vuln/GO-2026-4526

Code Behaviors & Features

Detect and mitigate CVE-2026-32287 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →