Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Fast-XML-Parser: Untrusted XML Data Injection
ROOT-APP-NPM-CVE-2026-26278
Summary
A security update has been released for the Fast-XML-Parser library used by some Root projects. This update fixes a bug that could allow an attacker to inject malicious data into the affected system. If you use this library, patch your project to the latest version to ensure you have the fix.
What to do
- Update rootio @rootio/fast-xml-parser to version 4.4.1-root.io.6.
- Update rootio @rootio/fast-xml-parser to version 5.3.4-root.io.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| rootio | @rootio/fast-xml-parser | <= 4.4.1-root.io.6 | 4.4.1-root.io.6 |
| rootio | @rootio/fast-xml-parser | <= 5.3.4-root.io.5 | 5.3.4-root.io.5 |
Original title
CVE-2026-26278 in @rootio/fast-xml-parser - Patched by Root
Original description
Root has patched CVE-2026-26278 in the @rootio/fast-xml-parser package for Root:npm. Multiple fixed versions available.
Published: 8 Apr 2026 · Updated: 9 Apr 2026 · First seen: 29 Mar 2026