DEBIAN-CVE-2026-33036

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-33036

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33036.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-33036

Upstream

CVE-2026-33036

Published

2026-03-20T06:16:11.630Z

Modified

2026-03-21T10:04:46.949870Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.

References

https://security-tracker.debian.org/tracker/CVE-2026-33036

Affected packages

Debian:12 / node-webfont

Package

Name: node-webfont
Purl: pkg:deb/debian/node-webfont?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

11.*

11.4.0+dfsg2+~cs35.7.26-7

11.4.0+dfsg2+~cs35.7.26-8

11.4.0+dfsg2+~cs35.7.26-9

11.4.0+dfsg2+~cs35.7.26-10

11.4.0+dfsg2+~cs35.7.26-11

11.4.0+dfsg2+~cs35.7.26-12

11.4.0+dfsg2+~cs35.7.26-13

11.4.0+dfsg2+~cs35.7.26-14

11.4.0+dfsg2+~cs35.7.26-15

11.4.0+dfsg2+~cs35.7.26-16

11.4.0+dfsg2+~cs35.7.26-18

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33036.json"

Debian:13 / node-webfont

Package

Name: node-webfont
Purl: pkg:deb/debian/node-webfont?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

11.*

11.4.0+dfsg2+~cs35.7.26-13

11.4.0+dfsg2+~cs35.7.26-14

11.4.0+dfsg2+~cs35.7.26-15

11.4.0+dfsg2+~cs35.7.26-16

11.4.0+dfsg2+~cs35.7.26-18

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33036.json"

Debian:14 / node-webfont

Package

Name: node-webfont
Purl: pkg:deb/debian/node-webfont?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

11.*

11.4.0+dfsg2+~cs35.7.26-13

11.4.0+dfsg2+~cs35.7.26-14

11.4.0+dfsg2+~cs35.7.26-15

11.4.0+dfsg2+~cs35.7.26-16

11.4.0+dfsg2+~cs35.7.26-18

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33036.json"