[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-26278":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-06T08:55:34.825Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":24,"aliases":34,"duplicate_of":9,"upstream":36,"downstream":37,"duplicates":44,"related":45,"reserved_at":9,"published_at":49,"modified_at":50,"state":51,"summary":52,"references_raw":60,"kevs":93,"epss":94,"epss_history":97,"metrics":369,"affected":379},"CVE-2026-26278","fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-776","Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.","weakness","Draft","Base","Medium",[20],{"id":21,"name":22,"techniques":23},"CAPEC-197","Exponential Data Expansion",[],[25],{"_key":26,"name":27,"source":28,"url":29,"maturity":30,"reliability_score":31,"verified":32,"type":9,"platforms":33,"requires_auth":9,"exploitdb":9,"metasploit":9},"GITHUB_NATURALINTELLIGENCE_FAST-XML-PARSER","Fast Xml Parser","github","https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-mpg4-rc92-vx8v","poc",0.3,false,[],[35],"GHSA-jmr7-xgp7-cmfj",[],[38,40,42],{"_key":39},"OPENSUSE-SU-2026:10236-1",{"_key":41},"DEBIAN-CVE-2026-26278",{"_key":43},"UBUNTU-CVE-2026-26278",[],[46,47],{"_key":39},{"_key":48},"CGA-P55M-GRJF-6FCF","2026-02-19T19:40:55.842Z","2026-03-02T19:11:59.388Z","Analyzed",{"cisa_kev":32,"cisa_ransomware":32,"cisa_vendor":9,"epss_severity":53,"epss_score":54,"severity":55,"severity_score":56,"severity_version":57,"severity_source":58,"severity_vector":59,"severity_status":51},"low",0.00032,"high",7.5,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",[61,71,77,82,88],{"url":62,"sources":63,"tags":66},"https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj",[64,58,65],"osv_npm","nvd",[67,68,69,70],"WEB","X Refsource CONFIRM","Exploit","Vendor Advisory",{"url":72,"sources":73,"tags":74},"https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77",[64,58,65],[67,75,76],"X Refsource MISC","Patch",{"url":78,"sources":79,"tags":80},"https://github.com/NaturalIntelligence/fast-xml-parser",[64],[81],"PACKAGE",{"url":83,"sources":84,"tags":85},"https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6",[64,58,65],[67,75,86,87],"Product","Release Notes",{"url":89,"sources":90,"tags":91},"https://nvd.nist.gov/vuln/detail/CVE-2026-26278",[64],[92],"Advisory",[],{"date":95,"score":54,"percentile":96},"2026-06-05",0.09591,[98,102,105,107,110,113,117,120,123,126,129,132,135,138,141,144,147,150,153,156,159,162,165,168,171,174,177,180,183,186,190,193,197,200,203,206,209,212,214,217,220,223,227,230,233,236,239,242,245,248,251,254,256,259,262,265,268,271,274,277,280,283,286,289,292,295,298,301,304,307,310,313,316,319,322,325,328,331,334,337,340,343,346,349,352,355,358,360,363,366],{"date":99,"score":100,"percentile":101},"2026-02-20",0.00049,0.15194,{"date":103,"score":100,"percentile":104},"2026-02-21",0.15191,{"date":106,"score":100,"percentile":104},"2026-02-22",{"date":108,"score":100,"percentile":109},"2026-02-23",0.15151,{"date":111,"score":100,"percentile":112},"2026-02-24",0.1507,{"date":114,"score":115,"percentile":116},"2026-02-25",0.00064,0.19815,{"date":118,"score":115,"percentile":119},"2026-02-26",0.19804,{"date":121,"score":115,"percentile":122},"2026-02-27",0.19816,{"date":124,"score":115,"percentile":125},"2026-02-28",0.19805,{"date":127,"score":115,"percentile":128},"2026-03-01",0.19839,{"date":130,"score":115,"percentile":131},"2026-03-02",0.1979,{"date":133,"score":115,"percentile":134},"2026-03-03",0.19758,{"date":136,"score":115,"percentile":137},"2026-03-04",0.19672,{"date":139,"score":115,"percentile":140},"2026-03-05",0.19749,{"date":142,"score":115,"percentile":143},"2026-03-06",0.1975,{"date":145,"score":115,"percentile":146},"2026-03-07",0.19741,{"date":148,"score":115,"percentile":149},"2026-03-08",0.19705,{"date":151,"score":115,"percentile":152},"2026-03-09",0.19667,{"date":154,"score":115,"percentile":155},"2026-03-10",0.19652,{"date":157,"score":115,"percentile":158},"2026-03-11",0.19643,{"date":160,"score":115,"percentile":161},"2026-03-12",0.19691,{"date":163,"score":115,"percentile":164},"2026-03-13",0.19731,{"date":166,"score":115,"percentile":167},"2026-03-14",0.19737,{"date":169,"score":115,"percentile":170},"2026-03-15",0.19669,{"date":172,"score":115,"percentile":173},"2026-03-16",0.19641,{"date":175,"score":115,"percentile":176},"2026-03-17",0.19602,{"date":178,"score":115,"percentile":179},"2026-03-18",0.19589,{"date":181,"score":115,"percentile":182},"2026-03-19",0.1959,{"date":184,"score":115,"percentile":185},"2026-03-20",0.19646,{"date":187,"score":188,"percentile":189},"2026-03-21",0.00021,0.05399,{"date":191,"score":188,"percentile":192},"2026-03-22",0.05395,{"date":194,"score":195,"percentile":196},"2026-03-23",0.00022,0.0588,{"date":198,"score":195,"percentile":199},"2026-03-24",0.05856,{"date":201,"score":195,"percentile":202},"2026-03-25",0.05913,{"date":204,"score":195,"percentile":205},"2026-03-26",0.05957,{"date":207,"score":195,"percentile":208},"2026-03-27",0.05956,{"date":210,"score":195,"percentile":211},"2026-03-28",0.05962,{"date":213,"score":195,"percentile":208},"2026-03-29",{"date":215,"score":195,"percentile":216},"2026-03-30",0.05938,{"date":218,"score":195,"percentile":219},"2026-03-31",0.05912,{"date":221,"score":195,"percentile":222},"2026-04-01",0.05919,{"date":224,"score":225,"percentile":226},"2026-04-02",0.0003,0.08601,{"date":228,"score":225,"percentile":229},"2026-04-03",0.08623,{"date":231,"score":225,"percentile":232},"2026-04-04",0.08653,{"date":234,"score":225,"percentile":235},"2026-04-05",0.08637,{"date":237,"score":225,"percentile":238},"2026-04-06",0.0856,{"date":240,"score":225,"percentile":241},"2026-04-07",0.08571,{"date":243,"score":225,"percentile":244},"2026-04-08",0.08644,{"date":246,"score":225,"percentile":247},"2026-04-09",0.08668,{"date":249,"score":225,"percentile":250},"2026-04-10",0.08671,{"date":252,"score":225,"percentile":253},"2026-04-11",0.08666,{"date":255,"score":225,"percentile":244},"2026-04-12",{"date":257,"score":225,"percentile":258},"2026-04-13",0.08631,{"date":260,"score":225,"percentile":261},"2026-04-14",0.08502,{"date":263,"score":225,"percentile":264},"2026-04-15",0.08517,{"date":266,"score":225,"percentile":267},"2026-04-16",0.0852,{"date":269,"score":225,"percentile":270},"2026-04-17",0.08509,{"date":272,"score":225,"percentile":273},"2026-04-18",0.08508,{"date":275,"score":225,"percentile":276},"2026-04-19",0.08483,{"date":278,"score":225,"percentile":279},"2026-04-20",0.08469,{"date":281,"score":225,"percentile":282},"2026-04-21",0.08659,{"date":284,"score":225,"percentile":285},"2026-04-22",0.08687,{"date":287,"score":225,"percentile":288},"2026-04-23",0.08717,{"date":290,"score":225,"percentile":291},"2026-04-24",0.08672,{"date":293,"score":225,"percentile":294},"2026-04-25",0.08645,{"date":296,"score":225,"percentile":297},"2026-04-26",0.08626,{"date":299,"score":225,"percentile":300},"2026-04-27",0.08615,{"date":302,"score":54,"percentile":303},"2026-04-28",0.09051,{"date":305,"score":54,"percentile":306},"2026-04-29",0.0906,{"date":308,"score":54,"percentile":309},"2026-04-30",0.09066,{"date":311,"score":54,"percentile":312},"2026-05-01",0.09007,{"date":314,"score":54,"percentile":315},"2026-05-02",0.09048,{"date":317,"score":54,"percentile":318},"2026-05-03",0.09022,{"date":320,"score":54,"percentile":321},"2026-05-04",0.08977,{"date":323,"score":54,"percentile":324},"2026-05-05",0.08975,{"date":326,"score":54,"percentile":327},"2026-05-06",0.08995,{"date":329,"score":54,"percentile":330},"2026-05-07",0.09141,{"date":332,"score":54,"percentile":333},"2026-05-08",0.09171,{"date":335,"score":54,"percentile":336},"2026-05-09",0.09211,{"date":338,"score":54,"percentile":339},"2026-05-10",0.09212,{"date":341,"score":54,"percentile":342},"2026-05-11",0.09177,{"date":344,"score":54,"percentile":345},"2026-05-12",0.09199,{"date":347,"score":54,"percentile":348},"2026-05-13",0.0922,{"date":350,"score":54,"percentile":351},"2026-05-14",0.09276,{"date":353,"score":54,"percentile":354},"2026-05-15",0.09275,{"date":356,"score":54,"percentile":357},"2026-05-16",0.09293,{"date":359,"score":54,"percentile":351},"2026-05-17",{"date":361,"score":54,"percentile":362},"2026-05-18",0.09232,{"date":364,"score":54,"percentile":365},"2026-05-19",0.09194,{"date":367,"score":54,"percentile":368},"2026-05-20",0.09195,[370,374,377],{"source":64,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":371,"cvss_v4_0":9},{"baseScore":56,"baseSeverity":9,"vectorString":59,"impactScore":372,"exploitabilityScore":373},6,10,{"source":58,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":375,"cvss_v4_0":9},{"baseScore":56,"baseSeverity":376,"vectorString":59,"impactScore":372,"exploitabilityScore":373},"HIGH",{"source":65,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":378,"cvss_v4_0":9},{"baseScore":56,"baseSeverity":376,"vectorString":59,"impactScore":372,"exploitabilityScore":373},[380,399],{"ecosystem":9,"name":381,"vendor":382,"product":381,"cpe_part":383,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":384},"fast-xml-parser","naturalintelligence","a",[385,393,396],{"version":386,"is_range":387,"range_type":388,"version_start":389,"version_start_type":390,"version_end":391,"version_end_type":392,"fixed_in":9},"gte4.1.3_lt5.3.6",true,"cpe","4.1.3","including","5.3.6","excluding",{"version":394,"is_range":387,"range_type":58,"version_start":395,"version_start_type":390,"version_end":391,"version_end_type":392,"fixed_in":9},">= 5.0.0, \u003C 5.3.6","5.0.0",{"version":397,"is_range":387,"range_type":58,"version_start":389,"version_start_type":390,"version_end":398,"version_end_type":392,"fixed_in":9},">= 4.1.3, \u003C 4.5.4","4.5.4",{"ecosystem":400,"name":381,"vendor":400,"product":381,"cpe_part":9,"purl_type":401,"purl_namespace":9,"purl_name":381,"source":9,"versions":402},"Npm","npm",[403,406,408],{"version":404,"is_range":387,"range_type":405,"version_start":389,"version_start_type":390,"version_end":391,"version_end_type":392,"fixed_in":9},"gte4_1_3_lt5_3_6","semver",{"version":407,"is_range":387,"range_type":405,"version_start":389,"version_start_type":390,"version_end":398,"version_end_type":392,"fixed_in":9},"gte4_1_3_lt4_5_4",{"version":409,"is_range":387,"range_type":405,"version_start":395,"version_start_type":390,"version_end":391,"version_end_type":392,"fixed_in":9},"gte5_0_0_lt5_3_6"]