VDB

DEBIAN-CVE-2026-27942

DEBIAN-CVE-2026-27942 PUBLISHED CVSS 7.5 HIGH

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
Debian:12node-webfont*, 11.4.0+dfsg2, 11.4.0+dfsg2
Debian:13node-webfont11.4.0+dfsg2, 11.4.0+dfsg2+~cs35.7.26-14, 0
Debian:14node-webfont0, 11.4.0+dfsg2, 11.4.0+dfsg2

Timeline

  • Feb 26, 2026 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›