Vulnerability-Lookup

CVE-2026-33036 (GCVE-0-2026-33036)

Vulnerability from cvelistv5 – Published: 2026-03-20 05:17 – Updated: 2026-03-25 13:57

Title

fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)

Summary

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	NaturalIntelligence	fast-xml-parser	Affected: >= 4.0.0-beta.3, < 5.5.6

GHSA-8GC5-J5RX-235R

Vulnerability from github – Published: 2026-03-17 19:45 – Updated: 2026-03-25 14:31

Summary

fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)

Details

Summary

The fix for CVE-2026-26278 added entity expansion limits (maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize) to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. Numeric character references (&#NNN; and &#xHH;) and standard XML entities (<, >, etc.) are processed through a separate code path that does NOT enforce any expansion limits.

An attacker can use massive numbers of numeric entity references to completely bypass all configured limits, causing excessive memory allocation and CPU consumption.

Affected Versions

fast-xml-parser v5.x through v5.5.3 (and likely v5.5.5 on npm)

Root Cause

In src/xmlparser/OrderedObjParser.js, the replaceEntitiesValue() function has two separate entity replacement loops:

Lines 638-670: DOCTYPE entities — expansion counting with entityExpansionCount and currentExpandedLength tracking. This was the CVE-2026-26278 fix.
Lines 674-677: lastEntities loop — replaces standard entities including num_dec (/&#([0-9]{1,7});/g) and num_hex (/&#x([0-9a-fA-F]{1,6});/g). This loop has NO expansion counting at all.

The numeric entity regex replacements at lines 97-98 are part of lastEntities and go through the uncounted loop, completely bypassing the CVE-2026-26278 fix.

Proof of Concept

const { XMLParser } = require('fast-xml-parser');

// Even with strict explicit limits, numeric entities bypass them
const parser = new XMLParser({
  processEntities: {
    enabled: true,
    maxTotalExpansions: 10,
    maxExpandedLength: 100,
    maxEntityCount: 1,
    maxEntitySize: 10
  }
});

// 100K numeric entity references — should be blocked by maxTotalExpansions=10
const xml = `<root>${'&#65;'.repeat(100000)}</root>`;
const result = parser.parse(xml);

// Output: 500,000 chars — bypasses maxExpandedLength=100 completely
console.log('Output length:', result.root.length);  // 500000
console.log('Expected max:', 100);  // limit was 100

Results: - 100K A references → 500,000 char output (5x default maxExpandedLength of 100,000) - 1M references → 5,000,000 char output, ~147MB memory consumed - Even with maxTotalExpansions=10 and maxExpandedLength=100, 10K references produce 50,000 chars - Hex entities (A) exhibit the same bypass

Impact

Denial of Service — An attacker who can provide XML input to applications using fast-xml-parser can cause: - Excessive memory allocation (147MB+ for 1M entity references) - CPU consumption during regex replacement - Potential process crash via OOM

This is particularly dangerous because the application developer may have explicitly configured strict entity expansion limits believing they are protected, while numeric entities silently bypass all of them.

Suggested Fix

Apply the same entityExpansionCount and currentExpandedLength tracking to the lastEntities loop (lines 674-677) and the HTML entities loop (lines 680-686), similar to how DOCTYPE entities are tracked at lines 638-670.

Workaround

Set htmlEntities:false

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-beta.3"
            },
            {
              "fixed": "4.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T19:45:41Z",
    "nvd_published_at": "2026-03-20T06:16:11Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe fix for CVE-2026-26278 added entity expansion limits (`maxTotalExpansions`, `maxExpandedLength`, `maxEntityCount`, `maxEntitySize`) to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. **Numeric character references** (`\u0026#NNN;` and `\u0026#xHH;`) and standard XML entities (`\u0026lt;`, `\u0026gt;`, etc.) are processed through a separate code path that does NOT enforce any expansion limits.\n\nAn attacker can use massive numbers of numeric entity references to completely bypass all configured limits, causing excessive memory allocation and CPU consumption.\n\n## Affected Versions\n\nfast-xml-parser v5.x through v5.5.3 (and likely v5.5.5 on npm)\n\n## Root Cause\n\nIn `src/xmlparser/OrderedObjParser.js`, the `replaceEntitiesValue()` function has two separate entity replacement loops:\n\n1. **Lines 638-670**: DOCTYPE entities \u2014 expansion counting with `entityExpansionCount` and `currentExpandedLength` tracking. This was the CVE-2026-26278 fix.\n2. **Lines 674-677**: `lastEntities` loop \u2014 replaces standard entities including `num_dec` (`/\u0026#([0-9]{1,7});/g`) and `num_hex` (`/\u0026#x([0-9a-fA-F]{1,6});/g`). **This loop has NO expansion counting at all.**\n\nThe numeric entity regex replacements at lines 97-98 are part of `lastEntities` and go through the uncounted loop, completely bypassing the CVE-2026-26278 fix.\n\n## Proof of Concept\n\n```javascript\nconst { XMLParser } = require(\u0027fast-xml-parser\u0027);\n\n// Even with strict explicit limits, numeric entities bypass them\nconst parser = new XMLParser({\n  processEntities: {\n    enabled: true,\n    maxTotalExpansions: 10,\n    maxExpandedLength: 100,\n    maxEntityCount: 1,\n    maxEntitySize: 10\n  }\n});\n\n// 100K numeric entity references \u2014 should be blocked by maxTotalExpansions=10\nconst xml = `\u003croot\u003e${\u0027\u0026#65;\u0027.repeat(100000)}\u003c/root\u003e`;\nconst result = parser.parse(xml);\n\n// Output: 500,000 chars \u2014 bypasses maxExpandedLength=100 completely\nconsole.log(\u0027Output length:\u0027, result.root.length);  // 500000\nconsole.log(\u0027Expected max:\u0027, 100);  // limit was 100\n```\n\n**Results:**\n- 100K `\u0026#65;` references \u2192 500,000 char output (5x default maxExpandedLength of 100,000)\n- 1M references \u2192 5,000,000 char output, ~147MB memory consumed\n- Even with `maxTotalExpansions=10` and `maxExpandedLength=100`, 10K references produce 50,000 chars\n- Hex entities (`\u0026#x41;`) exhibit the same bypass\n\n## Impact\n\n**Denial of Service** \u2014 An attacker who can provide XML input to applications using fast-xml-parser can cause:\n- Excessive memory allocation (147MB+ for 1M entity references)\n- CPU consumption during regex replacement\n- Potential process crash via OOM\n\nThis is particularly dangerous because the application developer may have explicitly configured strict entity expansion limits believing they are protected, while numeric entities silently bypass all of them.\n\n## Suggested Fix\n\nApply the same `entityExpansionCount` and `currentExpandedLength` tracking to the `lastEntities` loop (lines 674-677) and the HTML entities loop (lines 680-686), similar to how DOCTYPE entities are tracked at lines 638-670.\n\n## Workaround\n\nSet `htmlEntities:false`",
  "id": "GHSA-8gc5-j5rx-235r",
  "modified": "2026-03-25T14:31:39Z",
  "published": "2026-03-17T19:45:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v4.5.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)"
}

cleanstart-2026-gs57401

Vulnerability from cleanstart

Published

2026-04-01 09:43

Modified

2026-03-19 07:48

Summary

Security fixes for CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-2391, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.3-r1

Details

Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2025-69873	WEB
	https://osv.dev/vulnerability/CVE-2026-1525	WEB
	https://osv.dev/vulnerability/CVE-2026-1526	WEB
	https://osv.dev/vulnerability/CVE-2026-1527	WEB
	https://osv.dev/vulnerability/CVE-2026-1528	WEB
	https://osv.dev/vulnerability/CVE-2026-2229	WEB
	https://osv.dev/vulnerability/CVE-2026-2327	WEB
	https://osv.dev/vulnerability/CVE-2026-2391	WEB
	https://osv.dev/vulnerability/CVE-2026-25128	WEB
	https://osv.dev/vulnerability/CVE-2026-25547	WEB
	https://osv.dev/vulnerability/CVE-2026-2581	WEB
	https://osv.dev/vulnerability/CVE-2026-25896	WEB
	https://osv.dev/vulnerability/CVE-2026-26278	WEB
	https://osv.dev/vulnerability/CVE-2026-26960	WEB
	https://osv.dev/vulnerability/CVE-2026-27601	WEB
	https://osv.dev/vulnerability/CVE-2026-27903	WEB
	https://osv.dev/vulnerability/CVE-2026-27904	WEB
	https://osv.dev/vulnerability/CVE-2026-27942	WEB
	https://osv.dev/vulnerability/CVE-2026-28292	WEB
	https://osv.dev/vulnerability/CVE-2026-29786	WEB
	https://osv.dev/vulnerability/CVE-2026-31802	WEB
	https://osv.dev/vulnerability/CVE-2026-32141	WEB
	https://osv.dev/vulnerability/CVE-2026-33036	WEB
	https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74	WEB
	https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f	WEB
	https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6	WEB
	https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm	WEB
	https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh	WEB
	https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw	WEB
	https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26	WEB
	https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq	WEB
	https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2	WEB
	https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj	WEB
	https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx	WEB
	https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r	WEB
	https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf	WEB
	https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256	WEB
	https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj	WEB
	https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3	WEB
	https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj	WEB
	https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2	WEB
	https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h	WEB
	https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96	WEB
	https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw	WEB
	https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q	WEB
	https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8	WEB
	https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q	WEB
	https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-69873	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1525	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1526	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1527	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1528	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2229	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2327	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2391	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25128	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25547	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2581	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25896	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-26278	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-26960	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27601	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27903	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27904	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27942	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-28292	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-29786	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-31802	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32141	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33036	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "renovate"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "43.4.3-r1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-GS57401",
  "modified": "2026-03-19T07:48:38Z",
  "published": "2026-04-01T09:43:24.793409Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-GS57401.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-69873"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1525"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1526"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1527"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1528"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2229"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2327"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2391"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25128"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25547"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2581"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25896"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-26278"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-26960"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27601"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27903"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27904"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27942"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-28292"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-29786"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-31802"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32141"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33036"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-2391, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.3-r1",
  "upstream": [
    "CVE-2025-69873",
    "CVE-2026-1525",
    "CVE-2026-1526",
    "CVE-2026-1527",
    "CVE-2026-1528",
    "CVE-2026-2229",
    "CVE-2026-2327",
    "CVE-2026-2391",
    "CVE-2026-25128",
    "CVE-2026-25547",
    "CVE-2026-2581",
    "CVE-2026-25896",
    "CVE-2026-26278",
    "CVE-2026-26960",
    "CVE-2026-27601",
    "CVE-2026-27903",
    "CVE-2026-27904",
    "CVE-2026-27942",
    "CVE-2026-28292",
    "CVE-2026-29786",
    "CVE-2026-31802",
    "CVE-2026-32141",
    "CVE-2026-33036",
    "ghsa-23c5-xmqv-rm74",
    "ghsa-25h7-pfq9-p65f",
    "ghsa-2g4f-4pwh-qvx6",
    "ghsa-2mjp-6q6p-2qxm",
    "ghsa-37qj-frw5-hhjh",
    "ghsa-38c4-r59v-3vqw",
    "ghsa-3ppc-4f35-3m26",
    "ghsa-4992-7rv2-5pvq",
    "ghsa-7h2j-956f-4vf2",
    "ghsa-7r86-cg39-jmmj",
    "ghsa-83g3-92jg-28cx",
    "ghsa-8gc5-j5rx-235r",
    "ghsa-8wc6-vgrq-x6cf",
    "ghsa-9ppj-qmqm-q256",
    "ghsa-f269-vfmq-vjvj",
    "ghsa-fj3w-jwp8-x2g3",
    "ghsa-jmr7-xgp7-cmfj",
    "ghsa-m7jm-9gc2-mpf2",
    "ghsa-phc3-fgpg-7m6h",
    "ghsa-qffp-2rhf-9h96",
    "ghsa-qpx9-hpmf-5gmw",
    "ghsa-r275-fr43-pm7q",
    "ghsa-v9p9-hfj2-hcw8",
    "ghsa-vrm6-8vpv-qv8q",
    "ghsa-w7fw-mjwx-w883"
  ]
}

cleanstart-2026-dv49099

Vulnerability from cleanstart

Published

2026-04-01 09:31

Modified

2026-03-23 10:49

Summary

Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0

Details

Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2025-64756	WEB
	https://osv.dev/vulnerability/CVE-2025-69873	WEB
	https://osv.dev/vulnerability/CVE-2026-1525	WEB
	https://osv.dev/vulnerability/CVE-2026-1526	WEB
	https://osv.dev/vulnerability/CVE-2026-1527	WEB
	https://osv.dev/vulnerability/CVE-2026-1528	WEB
	https://osv.dev/vulnerability/CVE-2026-2229	WEB
	https://osv.dev/vulnerability/CVE-2026-2327	WEB
	https://osv.dev/vulnerability/CVE-2026-23745	WEB
	https://osv.dev/vulnerability/CVE-2026-2391	WEB
	https://osv.dev/vulnerability/CVE-2026-24842	WEB
	https://osv.dev/vulnerability/CVE-2026-25128	WEB
	https://osv.dev/vulnerability/CVE-2026-25547	WEB
	https://osv.dev/vulnerability/CVE-2026-2581	WEB
	https://osv.dev/vulnerability/CVE-2026-25896	WEB
	https://osv.dev/vulnerability/CVE-2026-26278	WEB
	https://osv.dev/vulnerability/CVE-2026-26960	WEB
	https://osv.dev/vulnerability/CVE-2026-27601	WEB
	https://osv.dev/vulnerability/CVE-2026-27903	WEB
	https://osv.dev/vulnerability/CVE-2026-27904	WEB
	https://osv.dev/vulnerability/CVE-2026-27942	WEB
	https://osv.dev/vulnerability/CVE-2026-28292	WEB
	https://osv.dev/vulnerability/CVE-2026-29786	WEB
	https://osv.dev/vulnerability/CVE-2026-31802	WEB
	https://osv.dev/vulnerability/CVE-2026-32141	WEB
	https://osv.dev/vulnerability/CVE-2026-33036	WEB
	https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74	WEB
	https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f	WEB
	https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6	WEB
	https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm	WEB
	https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v	WEB
	https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh	WEB
	https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw	WEB
	https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26	WEB
	https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq	WEB
	https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2	WEB
	https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx	WEB
	https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2	WEB
	https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj	WEB
	https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx	WEB
	https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r	WEB
	https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97	WEB
	https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf	WEB
	https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256	WEB
	https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj	WEB
	https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3	WEB
	https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj	WEB
	https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2	WEB
	https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h	WEB
	https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96	WEB
	https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw	WEB
	https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q	WEB
	https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w	WEB
	https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8	WEB
	https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q	WEB
	https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-64756	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-69873	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1525	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1526	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1527	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1528	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2229	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2327	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-23745	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2391	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-24842	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25128	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25547	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2581	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25896	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-26278	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-26960	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27601	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27903	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27904	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27942	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-28292	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-29786	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-31802	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32141	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33036	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "renovate"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "43.4.4-r0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-DV49099",
  "modified": "2026-03-23T10:49:42Z",
  "published": "2026-04-01T09:31:16.419730Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-DV49099.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-64756"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-69873"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1525"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1526"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1527"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1528"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2229"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2327"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-23745"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2391"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-24842"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25128"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25547"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2581"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25896"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-26278"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-26960"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27601"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27903"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27904"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27942"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-28292"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-29786"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-31802"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32141"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33036"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0",
  "upstream": [
    "CVE-2025-64756",
    "CVE-2025-69873",
    "CVE-2026-1525",
    "CVE-2026-1526",
    "CVE-2026-1527",
    "CVE-2026-1528",
    "CVE-2026-2229",
    "CVE-2026-2327",
    "CVE-2026-23745",
    "CVE-2026-2391",
    "CVE-2026-24842",
    "CVE-2026-25128",
    "CVE-2026-25547",
    "CVE-2026-2581",
    "CVE-2026-25896",
    "CVE-2026-26278",
    "CVE-2026-26960",
    "CVE-2026-27601",
    "CVE-2026-27903",
    "CVE-2026-27904",
    "CVE-2026-27942",
    "CVE-2026-28292",
    "CVE-2026-29786",
    "CVE-2026-31802",
    "CVE-2026-32141",
    "CVE-2026-33036",
    "ghsa-23c5-xmqv-rm74",
    "ghsa-25h7-pfq9-p65f",
    "ghsa-2g4f-4pwh-qvx6",
    "ghsa-2mjp-6q6p-2qxm",
    "ghsa-34x7-hfp2-rc4v",
    "ghsa-37qj-frw5-hhjh",
    "ghsa-38c4-r59v-3vqw",
    "ghsa-3ppc-4f35-3m26",
    "ghsa-4992-7rv2-5pvq",
    "ghsa-5j98-mcp5-4vw2",
    "ghsa-73rr-hh4g-fpgx",
    "ghsa-7h2j-956f-4vf2",
    "ghsa-7r86-cg39-jmmj",
    "ghsa-83g3-92jg-28cx",
    "ghsa-8gc5-j5rx-235r",
    "ghsa-8qq5-rm4j-mr97",
    "ghsa-8wc6-vgrq-x6cf",
    "ghsa-9ppj-qmqm-q256",
    "ghsa-f269-vfmq-vjvj",
    "ghsa-fj3w-jwp8-x2g3",
    "ghsa-jmr7-xgp7-cmfj",
    "ghsa-m7jm-9gc2-mpf2",
    "ghsa-phc3-fgpg-7m6h",
    "ghsa-qffp-2rhf-9h96",
    "ghsa-qpx9-hpmf-5gmw",
    "ghsa-r275-fr43-pm7q",
    "ghsa-r6q2-hw4h-h46w",
    "ghsa-v9p9-hfj2-hcw8",
    "ghsa-vrm6-8vpv-qv8q",
    "ghsa-w7fw-mjwx-w883"
  ]
}

OPENSUSE-SU-2026:10462-1

Vulnerability from csaf_opensuse - Published: 2026-03-30 00:00 - Updated: 2026-03-30 00:00

Summary

heroic-games-launcher-2.20.1-4.1 on GA media

Severity

Moderate

Notes

Title of the patch: heroic-games-launcher-2.20.1-4.1 on GA media

Description of the patch: These are all security issues fixed in the heroic-games-launcher-2.20.1-4.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10462

CVE-2026-33036

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

FKIE_CVE-2026-33036

Vulnerability from fkie_nvd - Published: 2026-03-20 06:16 - Updated: 2026-03-23 16:28

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01	Patch
security-advisories@github.com	https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6	Product, Release Notes
security-advisories@github.com	https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r	Exploit, Mitigation, Vendor Advisory

Impacted products

Vendor	Product	Version
naturalintelligence	fast-xml-parser	*
naturalintelligence	fast-xml-parser	4.0.0
naturalintelligence	fast-xml-parser	4.0.0
naturalintelligence	fast-xml-parser	4.0.0
naturalintelligence	fast-xml-parser	4.0.0
naturalintelligence	fast-xml-parser	4.0.0
naturalintelligence	fast-xml-parser	4.0.0
naturalintelligence	fast-xml-parser	4.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB9177BC-BACD-4367-9063-398ACE2AB4A7",
              "versionEndExcluding": "5.5.6",
              "versionStartIncluding": "4.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "2398B145-2ED8-4197-8838-FAE7AD7666E7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "44B6C4BE-69F4-4651-80EE-055D1F99F7EF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "4B32E8C4-15A7-466D-98A7-9EDD6B45F883",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta5:*:*:*:*:*:*",
              "matchCriteriaId": "23CDA792-75FA-48A7-8577-4266A0BFB3A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta6:*:*:*:*:*:*",
              "matchCriteriaId": "D4B7FD7D-0059-4D5B-898D-539AB43AA24A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta7:*:*:*:*:*:*",
              "matchCriteriaId": "42844DDE-AD5B-4684-8104-1C2D133C6098",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta8:*:*:*:*:*:*",
              "matchCriteriaId": "C045B7F2-16A9-47C9-B08D-71847A940B93",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (\u0026#NNN;, \u0026#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like \u0026#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process\u2014even when developers have configured strict limits. This issue has been fixed in version 5.5.6."
    },
    {
      "lang": "es",
      "value": "fast-xml-parser permite a los usuarios procesar XML desde objetos JS sin bibliotecas basadas en C/C++ ni callbacks. Las versiones 4.0.0-beta.3 hasta la 5.5.5 contienen una vulnerabilidad de bypass donde las referencias de caracteres num\u00e9ricos (\u0026amp;#NNN;, \u0026amp;#xHH;) y las entidades XML est\u00e1ndar evaden completamente los l\u00edmites de expansi\u00f3n de entidades (p. ej., maxTotalExpansions, maxExpandedLength) a\u00f1adidos para corregir CVE-2026-26278, lo que permite la denegaci\u00f3n de servicio por expansi\u00f3n de entidades XML. La causa ra\u00edz es que replaceEntitiesValue() en OrderedObjParser.js solo aplica el conteo de expansi\u00f3n en entidades definidas en DOCTYPE, mientras que el bucle lastEntities que maneja las entidades num\u00e9ricas/est\u00e1ndar no realiza ning\u00fan conteo. Un atacante que suministre 1M de referencias de entidades num\u00e9ricas como A puede forzar una asignaci\u00f3n de memoria de ~147MB y un uso intensivo de CPU, lo que podr\u00eda bloquear el proceso, incluso cuando los desarrolladores han configurado l\u00edmites estrictos. Este problema ha sido corregido en la versi\u00f3n 5.5.6."
    }
  ],
  "id": "CVE-2026-33036",
  "lastModified": "2026-03-23T16:28:10.930",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T06:16:11.630",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-776"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33036 (GCVE-0-2026-33036)

GHSA-8GC5-J5RX-235R

Summary

Affected Versions

Root Cause

Proof of Concept

Impact

Suggested Fix

Workaround

cleanstart-2026-gs57401

Vulnerability from cleanstart

cleanstart-2026-dv49099

Vulnerability from cleanstart

OPENSUSE-SU-2026:10462-1

FKIE_CVE-2026-33036

Tags

Sightings

Nomenclature