This page lists publicly disclosed CVE vulnerabilities affecting libexpat_project libexpat (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-50219 | libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur, | [email protected] | 4.9 | 0.01% | 2026-06-04 | 2026-06-04 |
| CVE-2026-45186 | In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input. | [email protected] | 2.9 | 0.00% | 2026-05-10 | 2026-05-14 |
| CVE-2026-41080 | libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document. | [email protected] | 2.9 | 0.01% | 2026-04-16 | 2026-04-27 |
| CVE-2026-32778 | libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition. | [email protected] | 2.9 | 0.01% | 2026-03-16 | 2026-03-17 |
| CVE-2026-32777 | libexpat before 2.7.5 allows an infinite loop while parsing DTD content. | [email protected] | 4.0 | 0.01% | 2026-03-16 | 2026-03-17 |
| CVE-2026-32776 | libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content. | [email protected] | 4.0 | 0.01% | 2026-03-16 | 2026-03-17 |
| CVE-2026-25210 | In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. | [email protected] | 6.9 | 0.01% | 2026-01-30 | 2026-06-02 |
| CVE-2026-24515 | In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. | [email protected] | 2.9 | 0.00% | 2026-01-23 | 2026-06-02 |
| CVE-2025-66382 | In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time. | [email protected] | 2.9 | 0.01% | 2025-11-28 | 2026-06-02 |
| CVE-2025-59375 | libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. | [email protected] | 7.5 | 0.08% | 2025-09-15 | 2026-05-12 |
| CVE-2024-50602 | An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser. | [email protected] | 5.9 | 0.13% | 2024-10-27 | 2025-10-15 |
| CVE-2024-45492 | An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). | [email protected] | 9.8 | 2.27% | 2024-08-30 | 2026-05-12 |
| CVE-2024-45491 | An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). | [email protected] | 9.8 | 1.14% | 2024-08-30 | 2026-05-12 |
| CVE-2024-45490 | An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. | [email protected] | 7.5 | 0.61% | 2024-08-30 | 2026-05-12 |
| CVE-2024-28757 | libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). | [email protected] | 7.5 | 1.23% | 2024-03-10 | 2025-11-04 |
| CVE-2023-52426 | libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time. | [email protected] | 5.5 | 0.02% | 2024-02-04 | 2025-11-04 |
| CVE-2023-52425 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | [email protected] | 7.5 | 1.55% | 2024-02-04 | 2025-11-04 |
| CVE-2022-43680 | In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. | [email protected] | 7.5 | 0.38% | 2022-10-24 | 2025-05-30 |
| CVE-2022-40674 | libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. | [email protected] | 8.1 | 0.94% | 2022-09-14 | 2025-05-30 |
| CVE-2022-25315 | In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. | [email protected] | 9.8 | 9.00% | 2022-02-18 | 2025-05-05 |