{"id":"CVE-2026-32287","summary":"Infinite loop in github.com/antchfx/xpath","details":"Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as \"1=1\" or \"true()\".","aliases":["GHSA-65xw-vw82-r86x","GO-2026-4526"],"modified":"2026-05-01T04:32:37.614791Z","published":"2026-03-26T19:40:52.142Z","related":["CGA-vrf4-vr5c-565q","SUSE-SU-2026:1135-1"],"database_specific":{"cna_assigner":"Go","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32287.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32287.json"},{"type":"FIX","url":"https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494"},{"type":"REPORT","url":"https://github.com/antchfx/xpath/issues/121"},{"type":"REPORT","url":"https://github.com/golang/vulndb/issues/4526"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32287"},{"type":"WEB","url":"https://pkg.go.dev"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2026-4526"},{"type":"EVIDENCE","url":"https://securityinfinity.com/research/infinite-loop-dos-in-antchfx-xpath-logicalquery-select"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/antchfx/xpath","events":[{"introduced":"0"},{"fixed":"afd4762cc342af56345a3fb4002a59281fcab494"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"1.3.6"}]}}],"versions":["1.1.0","v1.0.0","v1.1.0","v1.1.1","v1.1.10","v1.1.11","v1.1.2","v1.1.3","v1.1.4","v1.1.5","v1.1.6","v1.1.7","v1.1.8","v1.1.9","v1.2.0","v1.2.1","v1.2.2","v1.2.3","v1.2.4","v1.2.5","v1.3.0","v1.3.1","v1.3.2","v1.3.3","v1.3.4","v1.3.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-32287.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}