{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44665/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["fast-xml-builder (\u003c= 1.1.6)"],"_cs_severities":["high"],"_cs_tags":["xml","injection","xss","cve-2026-44665"],"_cs_type":"advisory","_cs_vendors":["NPM"],"content_html":"\u003cp\u003eThe fast-xml-builder npm package, version 1.1.6 and earlier, is susceptible to an attribute injection vulnerability (CVE-2026-44665). When processing XML/HTML with attribute values containing quotes, and the \u003ccode\u003eprocessEntities\u003c/code\u003e flag is disabled, the library incorrectly parses the input. This parsing failure leads to the breaking of the attribute value into multiple attributes, which can allow an attacker to inject arbitrary attributes, including those containing malicious code, into the resulting XML/HTML. This issue can occur in any application using fast-xml-builder to generate XML from user-controlled input, potentially leading to cross-site scripting (XSS) or other injection-based attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts malicious input data containing quoted attribute values intended for XML/HTML generation.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the crafted data into an application using fast-xml-builder.\u003c/li\u003e\n\u003cli\u003eThe application utilizes fast-xml-builder to process the data and generate XML/HTML output, with the \u003ccode\u003eprocessEntities\u003c/code\u003e flag disabled.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, fast-xml-builder incorrectly parses the attribute value, splitting it into multiple attributes.\u003c/li\u003e\n\u003cli\u003eThe injected malicious attributes are incorporated into the resulting XML/HTML structure.\u003c/li\u003e\n\u003cli\u003eThe application sends the malformed XML/HTML response to a user.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser renders the page, executing the injected malicious code (e.g., JavaScript).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves cross-site scripting (XSS) or other injection-based attacks, leading to potential data theft or compromise of the user\u0026rsquo;s session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to inject arbitrary HTML attributes into XML documents. This can lead to cross-site scripting (XSS) attacks if the generated XML is used in a web application. Given the widespread use of fast-xml-builder in Node.js projects, a large number of applications could be vulnerable. The impact ranges from defacement and information theft to complete compromise of user accounts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003efast-xml-builder\u003c/code\u003e if one becomes available or use a different XML builder library.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, ensure the \u003ccode\u003eprocessEntities\u003c/code\u003e flag is set to \u003ccode\u003etrue\u003c/code\u003e when using \u003ccode\u003efast-xml-builder\u003c/code\u003e, as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to identify potential exploitation attempts by detecting suspicious attribute values being passed to the vulnerable library.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-fast-xml-builder-injection/","summary":"The fast-xml-builder library allows attribute injection when handling attribute values containing quotes, leading to potential execution of arbitrary code.","title":"fast-xml-builder Vulnerability Allows Attribute Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-fast-xml-builder-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-44665","version":"https://jsonfeed.org/version/1.1"}