Libexpat Project: community verdicts
12 notable / known-exploited Libexpat Project CVEs the community has triaged.
- CVE-2026-56411MED 6.9EPSS 0%
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
- CVE-2026-56410MED 6.9EPSS 0%
xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.
- CVE-2026-56412MED 4.9EPSS 0%
libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219.
- CVE-2026-56404MED 6.9EPSS 0%
libexpat before 2.8.2 has an integer overflow in addBinding.
- CVE-2026-56407MED 6.9EPSS 0%
libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.
- CVE-2026-56406MED 6.9EPSS 0%
libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.
- CVE-2026-56403MED 6.9EPSS 0%
libexpat before 2.8.2 has an integer overflow in storeAtts.
- CVE-2026-56405MED 6.9EPSS 0%
libexpat before 2.8.2 has an integer overflow in getAttributeId.
- CVE-2026-56408MED 6.9EPSS 0%
libexpat before 2.8.2 has an integer overflow in copyString.
- CVE-2026-56131MED 4.9EPSS 0%
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation).
- CVE-2026-56409MED 6.5EPSS 0%
xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.
- CVE-2026-56132MED 6.9EPSS 0%
In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.