[HIGH] CVE-2026-26278 — CVSS 7.5

A HIGH-severity vulnerability identified as CVE-2026-26278 has been published on February 19, 2026 with a CVSS base score of 7.5. This security advisory provides a detailed breakdown of the vulnerability, its potential impact, weakness classification, and actionable steps to protect your systems.

Vulnerability Details

CVE ID: CVE-2026-26278
Severity: HIGH
CVSS Score: 7.5
Published: February 19, 2026
Weakness (CWE): CWE-776

Technical Description

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.

Potential Impact

If exploited, this high-severity vulnerability could allow an attacker to cause a denial of service. Organizations running affected software should treat this as a priority remediation item.

Recommended Action

No official patch is available yet. Until one is released:

1. Monitor the official NVD page and vendor channels for patch announcements.
2. Restrict access to the affected system or service where possible.
3. Apply network-level mitigations such as firewall rules or WAF policies.
4. Enable logging and alerting for anomalous activity related to this vulnerability.
5. Review your incident response plan in case of active exploitation.

View full details on NVD →

References

• Reference 1
• Reference 2
• Reference 3

Related Security Advisories

• [HIGH] CVE-2026-27464 — CVSS 7.7 (February 21, 2026) — HIGH / CVSS 7.7
• [HIGH] CVE-2026-27466 — CVSS 7.2 (February 21, 2026) — HIGH / CVSS 7.2
• [HIGH] CVE-2026-26050 — CVSS 7.8 (February 20, 2026) — HIGH / CVSS 7.8