{"id":"UBUNTU-CVE-2026-25128","details":"fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.","modified":"2026-02-18T20:18:16.425294Z","published":"2026-01-30T16:16:00Z","upstream":["CVE-2026-25128"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-25128"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2026-25128"},{"type":"REPORT","url":"https://github.com/NaturalIntelligence/fast-xml-parser/commit/4e387f61c4a5cef792f6a2f42467013290bf95dc"},{"type":"REPORT","url":"https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.4"},{"type":"REPORT","url":"https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-37qj-frw5-hhjh"}],"affected":[{"package":{"name":"node-webfont","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/node-webfont@11.4.0+dfsg2+~cs35.7.26-7ubuntu1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["11.4.0+dfsg2+~cs35.7.26-7ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"node-webfont","binary_version":"11.4.0+dfsg2+~cs35.7.26-7ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25128.json"}},{"package":{"name":"node-webfont","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/node-webfont@11.4.0+dfsg2+~cs35.7.26-13ubuntu2?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["11.4.0+dfsg2+~cs35.7.26-10","11.4.0+dfsg2+~cs35.7.26-13ubuntu2"],"ecosystem_specific":{"binaries":[{"binary_name":"node-webfont","binary_version":"11.4.0+dfsg2+~cs35.7.26-13ubuntu2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25128.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}