Libexpat Project: >> Libexpat >> 2.8.1 Security Vulnerabilities
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
CVSS Score
6.9
EPSS Score
0.001
Published
2026-06-21
libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219.
CVSS Score
4.9
EPSS Score
0.001
Published
2026-06-21
libexpat before 2.8.2 has an integer overflow in copyString.
CVSS Score
6.9
EPSS Score
0.001
Published
2026-06-21
xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.
CVSS Score
6.5
EPSS Score
0.001
Published
2026-06-21
xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.
CVSS Score
6.9
EPSS Score
0.001
Published
2026-06-21
libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.
CVSS Score
6.9
EPSS Score
0.001
Published
2026-06-21
libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.
CVSS Score
6.9
EPSS Score
0.001
Published
2026-06-21
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,
CVSS Score
4.9
EPSS Score
0.002
Published
2026-06-04