Libexpat Project: >> Libexpat >> 2.2.3 Security Vulnerabilities
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
CVSS Score
6.9
EPSS Score
0.001
Published
2026-06-21
libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219.
CVSS Score
4.9
EPSS Score
0.001
Published
2026-06-21
libexpat before 2.8.2 has an integer overflow in copyString.
CVSS Score
6.9
EPSS Score
0.001
Published
2026-06-21
xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.
CVSS Score
6.5
EPSS Score
0.001
Published
2026-06-21
xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.
CVSS Score
6.9
EPSS Score
0.001
Published
2026-06-21
libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.
CVSS Score
6.9
EPSS Score
0.001
Published
2026-06-21
libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.
CVSS Score
6.9
EPSS Score
0.001
Published
2026-06-21
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,
CVSS Score
4.9
EPSS Score
0.002
Published
2026-06-04
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.
CVSS Score
2.9
EPSS Score
0.003
Published
2026-05-10
libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
CVSS Score
2.9
EPSS Score
0.004
Published
2026-04-16
Page 1