Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.9
libexpat XML parsing allows hash flooding attacks
CVE-2026-41080
ECHO-35d6-a603-460e
Summary
The XML parsing library used by some software may allow an attacker to overwhelm the system with a large number of XML documents, causing a denial-of-service. This is a concern because it could make the system unavailable. To fix this, update the libexpat library to version 2.7.6 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Echo | – | expat | All versions |
Original title
libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
Original description
libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
nvd CVSS3.1
2.9
Vulnerability type
CWE-331
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 16 Apr 2026