CVE-2026-44665: Attribute Injection Flaw in fast-xml-builder Enables XSS via Malformed XML Processing

A high-severity vulnerability, CVE-2026-44665, has been identified in the fast-xml-builder npm package (versions prior to 1.1.7), exposing applications to attribute injection attacks. The flaw, detected by Trivy security scanning, stems from improper handling of quotes within XML attribute values when entity processing is disabled. Under these conditions, the parser incorrectly splits attribute values, allowing attackers to inject arbitrary attributes into XML or HTML output. The vulnerability carries a HIGH severity rating and affects version 1.1.5, which remains deployed in active repositories according to pnpm-lock.yaml records.

The technical root cause centers on the interaction between unescaped quotes in attribute values and the `processEntities` configuration flag. When a developer disables entity processing, the parser fails to properly escape or validate quote characters, effectively breaking the attribute value boundary. A proof-of-concept demonstrates the attack vector: a malicious input with `@_attr: '" onClick="alert(1)'` produces `<a attr="" onClick="alert(1)"></a>`, successfully injecting an event handler. This behavior creates a direct path to cross-site scripting (XSS) in applications that render XML/HTML output without sufficient sanitization.

The vulnerability poses significant risk for projects handling untrusted XML or HTML content, particularly web applications, API gateways, or data transformation services that rely on fast-xml-builder for markup generation. Developers are advised to immediately update to version 1.1.7, where the issue is addressed. As a temporary mitigation, maintaining the `processEntities` flag in its enabled (default) state prevents exploitation. Organizations using affected versions should audit their codebase for attribute handling logic and assess exposure to untrusted input sources. The vulnerability is indexed under CVE-2026-44665, with full technical details available through the National Vulnerability Database.