VDB
DEBIAN-CVE-2026-27942
DEBIAN-CVE-2026-27942
PUBLISHED
CVSS 7.5 HIGH
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | node-webfont | *, 11.4.0+dfsg2, 11.4.0+dfsg2 |
| Debian:13 | node-webfont | 11.4.0+dfsg2, 11.4.0+dfsg2+~cs35.7.26-14, 0 |
| Debian:14 | node-webfont | 0, 11.4.0+dfsg2, 11.4.0+dfsg2 |
Timeline
- Feb 26, 2026 CVE Published
- Apr 28, 2026 CVE Updated