## CVE-2026-41650: fast-xml-parser XMLBuilder Flaw Allows Comment and CDATA Injection via Unescaped Delimiters
A security vulnerability has been identified in fast-xml-parser, a widely used open-source XML parsing library maintained by NaturalIntelligence. The flaw, tracked as CVE-2026-41650 (GHSA-gh4j-gqv2-49f6), resides in the XMLBuilder component and stems from improper handling of unescaped delimiters during XML processing. Specifically, the vulnerability enables XML Comment and CDATA Injection, potentially allowing attackers to manipulate XML structures parsed by applications relying on this library.

The issue was addressed in version 5.7.0, which updated the library from v5.5.12. The patch modifies how the XMLBuilder component processes delimiters, closing a gap that could be exploited to inject unauthorized XML comments or CDATA sections into parsed documents. The vulnerability affects any application that processes untrusted XML input using the affected versions of fast-xml-parser, raising the risk of data tampering, parsing anomalies, or downstream processing errors.

Developers using fast-xml-parser in their projects are advised to verify their dependency versions and upgrade to v5.7.0 or later immediately. Applications that expose XML parsing interfaces to external users or process XML from third-party sources face heightened exposure. The security community has flagged this as a notable risk given the library's usage footprint in production environments. Organizations should audit their dependency trees, assess whether their applications pass user-supplied XML to the parser, and monitor for any anomalous parsing behavior following the update.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-41650, XML injection, fast-xml-parser, dependency vulnerability, CDATA injection
- **Credibility**: unverified
- **Published**: 2026-04-28 04:54:11
- **ID**: 77671
- **URL**: https://whisperx.ai/en/intel/77671