wid-sec-w-2026-0772 · Published 2026-03-17 · View on BSI CERT-Bund ↗

IBM App Connect Enterprise (fast-xml-parser): Multiple Vulnerabilities

CVSS 9.3 CRITICAL

Risk Summary

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

CVEs (2)

CVE-2026-25896 CVE-2026-26278

Affected Vendors

IBM

Affected Products (8)

IBM · App Connect Enterprise <13.0.6.2

IBM · App Connect Enterprise 13.0.6.2

IBM · App Connect Enterprise <12.0.12.24

IBM · App Connect Enterprise 12.0.12.24

IBM · App Connect Enterprise Container Operator <12.0.22

IBM · App Connect Enterprise Container Operator 12.0.22

IBM · App Connect Enterprise Certified Container Operator <13.0.0

IBM · App Connect Enterprise Certified Container Operator 13.0.0

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more