{"id":"GO-2026-4526","summary":"Infinite loop in github.com/antchfx/xpath","details":"Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as \"1=1\" or \"true()\".","aliases":["CVE-2026-32287","GHSA-65xw-vw82-r86x"],"modified":"2026-03-30T14:29:16.654688015Z","published":"2026-03-17T20:58:59Z","related":["CGA-vrf4-vr5c-565q"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4526","review_status":"REVIEWED"},"references":[{"type":"REPORT","url":"https://github.com/antchfx/xpath/issues/121"},{"type":"FIX","url":"https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494"},{"type":"REPORT","url":"https://github.com/golang/vulndb/issues/4526"}],"affected":[{"package":{"name":"github.com/antchfx/xpath","ecosystem":"Go","purl":"pkg:golang/github.com/antchfx/xpath"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.3.6"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/antchfx/xpath","symbols":["Expr.Evaluate","NodeIterator.MoveNext","ancestorQuery.Evaluate","ancestorQuery.Select","attributeQuery.Evaluate","attributeQuery.Select","booleanQuery.Evaluate","booleanQuery.Select","cachedChildQuery.Evaluate","cachedChildQuery.Select","childQuery.Evaluate","childQuery.Select","descendantOverDescendantQuery.Evaluate","descendantOverDescendantQuery.Select","descendantQuery.Evaluate","descendantQuery.Select","filterQuery.Evaluate","filterQuery.Select","followingQuery.Evaluate","followingQuery.Select","functionQuery.Evaluate","groupQuery.Evaluate","groupQuery.Select","lastFuncQuery.Evaluate","logicalQuery.Evaluate","logicalQuery.Select","mergeQuery.Evaluate","mergeQuery.Select","numericQuery.Evaluate","parentQuery.Evaluate","parentQuery.Select","precedingQuery.Evaluate","precedingQuery.Select","selfQuery.Evaluate","selfQuery.Select","transformFunctionQuery.Evaluate","transformFunctionQuery.Select","unionQuery.Evaluate","unionQuery.Select"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4526.json"}}],"schema_version":"1.7.5"}