Libexpat

This hub aggregates every CVE we track for Libexpat, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Libexpat.

• CVE-2026-56412libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, ...4.9Jun 21, 2026
• CVE-2026-56411xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.6.9Jun 21, 2026
• CVE-2026-56410xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.6.9Jun 21, 2026
• CVE-2026-56409xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.6.5Jun 21, 2026
• CVE-2026-56408libexpat before 2.8.2 has an integer overflow in copyString.6.9Jun 21, 2026
• CVE-2026-56407libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.6.9Jun 21, 2026
• CVE-2026-56406libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.6.9Jun 21, 2026
• CVE-2026-56405libexpat before 2.8.2 has an integer overflow in getAttributeId.6.9Jun 21, 2026
• CVE-2026-56404libexpat before 2.8.2 has an integer overflow in addBinding.6.9Jun 21, 2026
• CVE-2026-56403libexpat before 2.8.2 has an integer overflow in storeAtts.6.9Jun 21, 2026
• CVE-2026-56132In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.6.9Jun 19, 2026
• CVE-2026-56131libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-...4.9Jun 19, 2026
• CVE-2026-50219libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violatio...4.9Jun 4, 2026
• CVE-2026-45186In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.2.9May 10, 2026
• CVE-2026-41080libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.2.9Apr 16, 2026