Vulnerabilities in libexpat project
22 resultsCVE-2025-59375HIGHlibexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsiEPSS 1.3%CVE-2026-41080LOWlibexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.EPSS 0.4%CVE-2026-45186LOWIn libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crEPSS 0.3%CVE-2026-50219MEDIUMlibexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParseEPSS 0.2%CVE-2026-32777MEDIUMlibexpat before 2.7.5 allows an infinite loop while parsing DTD content.EPSS 0.2%CVE-2026-25210MEDIUMIn libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow chEPSS 0.2%CVE-2025-66382LOWIn libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.EPSS 0.2%CVE-2026-24515LOWIn libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.EPSS 0.2%CVE-2026-32776MEDIUMlibexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.EPSS 0.1%CVE-2026-32778LOWlibexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.EPSS 0.1%CVE-2026-56411MEDIUMxmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.EPSS 0.1%CVE-2026-56410MEDIUMxmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.EPSS 0.1%CVE-2026-56412MEDIUMlibexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls frEPSS 0.1%CVE-2026-56408MEDIUMlibexpat before 2.8.2 has an integer overflow in copyString.EPSS 0.1%CVE-2026-56406MEDIUMlibexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.EPSS 0.1%CVE-2026-56405MEDIUMlibexpat before 2.8.2 has an integer overflow in getAttributeId.EPSS 0.1%CVE-2026-56407MEDIUMlibexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.EPSS 0.1%CVE-2026-56404MEDIUMlibexpat before 2.8.2 has an integer overflow in addBinding.EPSS 0.1%CVE-2026-56403MEDIUMlibexpat before 2.8.2 has an integer overflow in storeAtts.EPSS 0.1%CVE-2026-56131MEDIUMlibexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. TEPSS 0.1%