| Name | CVE-2023-26920 |
| Description | fast-xml-parser before 4.1.2 allows __proto__ for Prototype Pollution. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| node-webfont (PTS) | bookworm | 11.4.0+dfsg2+~cs35.7.26-7 | undetermined |
| trixie | 11.4.0+dfsg2+~cs35.7.26-13 | undetermined |
| forky, sid | 11.4.0+dfsg2+~cs35.7.26-18 | undetermined |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| node-webfont | source | (unstable) | undetermined | | | |
Notes
https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
https://github.com/NaturalIntelligence/fast-xml-parser/commit/2b032a4f799c63d83991e4f992f1c68e4dd05804 (4.2.1)
node-webfont provides node-fast-xml-parser