CVE-2026-26278

high

Red Hat

CVSS v3 Base Score

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published: February 19, 2026

Last Modified: February 19, 2026

Vendor: Red Hat

Description

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.

CWE

CWE-776

Affected Products

Migration Toolkit for Applications 8Red Hat Advanced Cluster Security 4Red Hat Developer HubRed Hat Openshift Data Foundation 4Red Hat OpenShift GitOpsRed Hat OpenShift Virtualization 4Red Hat Satellite 6Self-service automation portal 2

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 github.com

CVE-2026-26278

Vulnerability Report

Description

CWE

Affected Products

References