Libexpat Project CVEs & Vulnerabilities

18 CVEs affecting Libexpat Project products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

libexpat 18
CVE-2026-56412MEDIUM

libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219.

21 Jun 2026
5.9
CVSS
CVE-2026-56411MEDIUM

xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.

21 Jun 2026
6.9
CVSS
CVE-2026-56410MEDIUM

xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.

21 Jun 2026
6.9
CVSS
CVE-2026-56409MEDIUM

xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.

21 Jun 2026
6.5
CVSS
CVE-2026-56408MEDIUM

libexpat before 2.8.2 has an integer overflow in copyString.

21 Jun 2026
6.9
CVSS
CVE-2026-56407MEDIUM

libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.

21 Jun 2026
6.9
CVSS
CVE-2026-56406MEDIUM

libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.

21 Jun 2026
6.9
CVSS
CVE-2026-56405MEDIUM

libexpat before 2.8.2 has an integer overflow in getAttributeId.

21 Jun 2026
6.9
CVSS
CVE-2026-56404MEDIUM

libexpat before 2.8.2 has an integer overflow in addBinding.

21 Jun 2026
6.9
CVSS
CVE-2026-56403MEDIUM

libexpat before 2.8.2 has an integer overflow in storeAtts.

21 Jun 2026
6.9
CVSS
CVE-2026-56132MEDIUM

In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.

19 Jun 2026
6.9
CVSS
CVE-2026-56131MEDIUM

libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation).

19 Jun 2026
4.9
CVSS
CVE-2026-50219MEDIUM

libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,

4 Jun 2026
5.9
CVSS
CVE-2026-7210CRITICAL

`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

11 May 2026
9.8
CVSS
CVE-2026-45186HIGH

In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.

10 May 2026
7.5
CVSS
CVE-2026-32778MEDIUM

libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.

16 Mar 2026
5.5
CVSS
CVE-2026-32777MEDIUM

libexpat before 2.7.5 allows an infinite loop while parsing DTD content.

16 Mar 2026
5.5
CVSS
CVE-2026-32776MEDIUM

libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.

16 Mar 2026
5.5
CVSS
← PrevPage 1 / 1Next →